Whatever Happened to Continuous Auditing?

Ever since Section 404 of the Sarbanes-Oxley Act took real effect in 2004, audit experts and software vendors have touted the benefits of continuous monitoring and continuous auditing. Yet years later, those concepts still haven't gone mainstream with Corporate America. What happened?

The idea of continuous monitoring and auditing is seductive, certainly: If you monitor and test your key controls over financial reporting nonstop, mistakes can be caught early and corrected before they lead to material errors in financial statements; accomplish that, and compliance with Section 404 should be a breeze.

Taylor

Proponents also contended that continuous monitoring and auditing could thwart fraud, since the techniques monitor all a company's transactions and management overrides (theoretically), rather than a random sampling that might not catch whatever is amiss. “I would argue this is your best chance of finding fraud,” says Patrick Taylor, CEO of software vendor Oversight Systems.

Still, here we are at the brink of 2011, and continuous auditing and monitoring have not gained widespread use. America's largest public companies and their external auditors have settled into their comfort zones around internal controls and Section 404 compliance—with the word “continuous” barely part of the conversation.

Jason Pett, an internal audit services partner with PwC, says a recent survey by his firm found that only about 20 percent of companies consider themselves to have a more mature grasp of the data analytics technology used in continuous auditing processes, while only 10 percent consider themselves in the lowest tiers of data analytics and continuous auditing use. “That puts 70 percent in the middle, who say they're working on it,” he says. “The majority are focused on it, but I wouldn't say the majority have optimized the use of continuous auditing within their organizations.”

Another recent poll by the Institute of Internal Auditors showed 45 percent of companies say they use continuous auditing at least to some degree to perform auditing activities; 66 percent say they aspire to implement some continuous audit process in the near future.

So if continuous auditing and monitoring have such powerful potential to lock down the control environment and financial processes, reducing the risk of misstatements to almost nil, why aren't companies and their auditors adopting in greater number? Like so many issues in the governance, risk, and compliance realm, the answers are complicated and somewhat nuanced.

Barriers to Implementation

Bi

Cost, of course, is an issue, says Lily Bi, director of standards and guidance for the Institute of Internal Auditors. She admits that the concepts of continuous auditing and monitoring have been around for a few decades, but they haven't advanced to the level expected by the end of 2010. That has slowed adoption, since companies have plenty of other pressing priorities. “For this kind of technology, you need to invest a lot of time, a lot of money and a lot of resources,” Bi says. “In this economy, things have been put on hold.”

But cost isn't the only obstacle, Pett says. (The tools to execute continuous approaches aren't even that expensive, he adds.) Instead, the greater challenge is in getting access to all the corporation's transactional data. That information can be scattered throughout numerous IT systems around the globe, managed by IT staffs struggling with other important problems of their own.

Pett

Progressive internal audit departments, Pett says, are training their staff to take the initiative and tap into enterprise software systems themselves to find the information they need, rather than waiting around for IT departments to do it. The drawback? “That's expensive,” he says. “You have to hire the right people who have the right skills.”

“I would argue [continuous auditing] is your best chance of finding fraud.”

—Patrick Taylor,

CEO,

Oversight Systems

To some extent, continuous auditing and monitoring also suffer from an identity crisis. Some auditing experts discuss the two concepts as if they were two names for the same chore; not so, says Michael Cangemi, an independent consultant and former president of the Financial Executives International. “The difference is very simple,” he says. “One has to be done by the auditors.”

Cangemi

Cangemi means that continuous auditing technology belongs to the internal audit department; business process owners should be responsible for continuous monitoring of their teams' own activities. In other words, the business units continuously monitor their controls, while internal auditors continuously audit the effectiveness of those controls.

Cangemi says another reason for the limited popularity of both practices is that external auditing firms don't know how to handle them, and have been conspicuously quiet about any possible upside to adopting them. “External auditors are very confused about this whole thing,” he says. “Public accountants are all over the map on this subject.”

Wedemeyer

Phil Wedemeyer, a partner with Grant Thornton and a former staff member at the Public Company Accounting Oversight Board, agrees external auditors haven't exactly warmed up to the idea. “A lot of auditors are skeptical about whether it's really needed,” he says. “If it ever develops, it would be driven by the companies themselves through a desire for a higher degree of integrity in their systems. The external auditor crowd isn't going to be a catalyst for greater use [of continuous auditing].”

WHY IGNORE CONTINUOUS AUDITING?

The following information was provided by The Institute of Internal Auditors based on 127 responses to its survey question: What is the primary reason for not using a continuous audit model?:

Response

Frequency

Count

Insufficient resources

48.8%

62

Shortage of qualified

technical skills

21.3%

27

Lack of management buy-in

20.5%

26

Too complex

5.5%

7

Upfront costs are too

expensive

14.2%

18

Provides no value

2.4%

3

Requires a lot of time to

establish the process

27.6%

35

Access to data and systems is

too difficult

24.4%

31

Complex IT infrastructure

16.5%

21

Compromises independence

and objectivity

3.1%

4

Other

25.2%

32

Source

IIA Continuous Auditing Study: Summary Report (July 26, 2010).

Wedemeyer explains that auditing firms are still reluctant to place too much reliance on the work of internal auditors because they're not independent. External auditors, he says, still have an instinct to “beat up the balance sheet” themselves rather than rely on the work of others—internal auditors—who test controls themselves and share the results with the external auditing firm.

That attitude harkens back to fierce debates in the early years of SOX compliance, when companies complained that external auditors insisted on testing every control they could find and consequently racked up huge audit fees. The PCAOB tried to quell the controversy in 2007 when it published Auditing Standard No. 5, steering external auditors to rely much more on “the work of others” for testing controls.

Wedemeyer says companies may also be wary of continuous auditing and monitoring for fear that they could lead to regulators or investors demanding financial reports more frequently—since, in theory, continuous approaches should let you provide a snapshot of your SOX compliance at any time. “I don't think there's a lot of preparer interest in more frequent reporting,” he says.

The companies that typically are most serious about both practices are large (more than $1 billion in revenue), and in highly process-oriented businesses such as manufacturing. They tend to be focused not on compliance imperatives, but on the overall improvements to business processes that would result from continuously monitoring and auditing key aspects of the business. “The compliance benefit is icing on the cake,” Wedemeyer says.

Dohrer

But Bob Dohrer, national director of assurance services for audit firm McGladrey & Pullen, says that despite any benefits continuous auditing might provide, the financial statements still need to be reviewed and scrutinized by human eyes. “The software can do a lot, but at the end of the day it still takes an auditor to analyze the data, synthesize it all, and draw conclusions,” he says.

Dohrer says continuous monitoring and auditing might have still have a future yet, even if audit firms don't support them. “It hasn't dropped completely off the landscape,” he says. “But from a practical perspective, it certainly has lost its luster with the audit profession recently.”