In the current business environment, senior management is asking some internal audit functions to do more work that resembles quality assurance. There are several reasons for this, but generally those reasons fall under the heading of business process disruption in one form or another. These may be disruptions to the workplace itself caused by COVID-19 and the ongoing labor shortage, or supply chain disruption related to the pandemic or geopolitical developments. The threat of cyber-attacks, weather events, and other heightened risks have also contributed to the potential for business process disruption.
Regardless of the cause, all of these business process disruptions have the capacity to impact product and service quality, and so senior management is looking to internal audit to provide real-time assurance that—in spite of all the turbulence—from a product and service quality standpoint, we’re still OK.
The increase in demand for internal audit input on quality assurance work dovetails with a continuous auditing approach.
Internal Audit vs. Quality Assurance
The work of internal audit and quality assurance (QA) do share some similarities. For example, internal audit and QA are both concerned with the quality and compliance of products, services, and business operations; both involve some form of testing and the reporting of results; and outputs of internal audit and QA can be used to identify risks and opportunities for improvement.
There are, however, some important distinctions between the two as well. A traditional internal audit is a fixed event with a beginning and end that has its own objectives, while QA is a continuous process and consists of ongoing controls. Internal audit is, ideally, independent, while QA typically is owned by the business units themselves. Some other important differences are identified in the table below.
It’s important to note that internal audit can be used to evaluate the effectiveness of QA systems, while QA does not evaluate internal audit. Because there are areas where the internal audit and QA concepts overlap, it makes sense that internal audit may be asked to fill some quality-assurance-type roles and duties, particularly in smaller organizations with less capacity for specialization. A continuous auditing approach can help meet the demand for this type of assurance.
Continuous Auditing Myths and Realities
More organizations are applying a continuous audit approach, particularly to areas of critical risk to the organization, such as cybersecurity, standards compliance, third-party and vendor risk management, and uncovering fraud. This shift is driven by demand from senior leadership and enabled by technology.
Continuous monitoring technologies can provide a steady stream of data into the audit process that is more comprehensive and quicker than sampling. Yet, as with a traditional audit approach, there is more to continuous auditing than simply monitoring and delivering key performance indicators (KPIs). Auditors must apply their objectivity, investigative skills, professional skepticism, and communication skills to provide independent insight and advice to management and the board on managing risk.
Continuous auditing is a bit of a misnomer in that it implies a never-ending audit cycle. Really, it is about leveraging continuous monitoring to identify risk. The purpose is not to find anomalies to bring to management’s attention, but rather to identify weaknesses in controls. For example, if internal audit makes recommendations, it may decide to return in six months to re-test and see if corrective action had been implemented and, if so, to see if it has been effective. With continuous auditing, however, internal audit could observe over a period of time, and see if problems are reoccurring and whether there is a need to return for another audit–– saving audit resources as well as providing more timely assurance.
Continuous Auditing’s Value Proposition
Continuous auditing offers greater lead time to catch emerging issues and, according to Reciprocity Labs, “provides in-depth, real-time analytic evidence demonstrating how closely a company is adhering to its policies and procedures.” Furthermore, it provides organizations with “evidence of continuous control implementation rather than a snapshot in time evaluation or a static sampling of evidence.”
The advantages of continuous auditing will vary from organization to organization, but overall, it has the capacity to improve governance, risk management, execution, and accountability. More specifically, potential benefits include:
- Continuous auditing can provide comprehensive critical information on compliance with internal and regulatory requirements provided in real-time.
- Continuous monitoring and auditing software can be configured to assess transactions against predefined parameters and if these are not met, alerts can be automatically generated.
- Continuous monitoring and auditing can identify potentially fraudulent activities.
- Both quantitative and qualitative risk assessments can be performed in a timely fashion.
- As the control environment has improved efficiency with continuous monitoring and auditing, cost reductions in audits and operations can be achieved.
- Reduction or remediation of errors allows for organizations to restructure personnel for improved effectiveness.
- Continuous monitoring and auditing can track management’s implementation of recommendations requested during the audit process.
- It can facilitate meaningful metrics for senior leadership and stakeholders
Securing Support for Continuous Auditing
Most employees welcome the thought of replacing tedious, manual checks with rapid monitoring routines. Some audit functions, however, have been deterred by the perception that implementing continuous auditing involves a heavy investment in software and skills training, although that may or may not be the case.
Data exists in so many places, yet determining how to analyze it can be a daunting task. Still, internal audit should be keen to understand and leverage the monitoring tools and capabilities already in use by the company, especially in early stages of implementation. Working with and delivering value from tools that are already available will help make a more compelling argument for long-term return on investment to expand the scope of continuous auditing. To secure support from senior management mand the board, it is critical that internal audit not do this quietly, and celebrate successes in the organization. According to Protiviti’s 2020 Internal Audit Capabilities and Needs Survey, audit committees want chief audit executives (CAEs) to communicate how their transformation and innovation efforts are resulting in more coverage of risks and deeper audit reviews.
In some cases, the internal audit department may simply be apprehensive to change, and so it’s critical that management and internal audit communicate early in the process. That way, everyone clearly understands how continuous auditing is going to result in more valuable deliverables from internal audit. This will also help auditors understand the organization’s baseline internal controls, practices, and objectives, and will help identify those areas that can be most readily measured via a continuous audit approach.
Management and auditors should also work together to identify specific evidence that should be collected and to determine audit frequency. Again, while the word continuous may suggest never-ending audits, in actuality, they can be performed at any interval the organization deems appropriate, such as bi-annually, quarterly, or with even greater frequency. Continuous auditing, powered by continuous monitoring tools, allows for this level of flexibility.
Still, though, the question remains—does making the transition to continuous auditing need to be expensive? Does the value outweigh the costs? And do these answers differ for smaller organizations with smaller budgets compared to larger organizations?
The answers may differ from organization to organization, but the factors are similar. When evaluating implementations, audit management should understand that audit tools often significantly reduce the burden of collecting evidence. Furthermore, as with any major change in efforts, beginning with a narrow focus that continually builds as internal audit becomes more comfortable with this new process can often help overcome obstacles to successful implementation and reduce additional unnecessary costs.
In his online article for Wipfli titled, “What is continuous auditing and how can you leverage it?” Paul J. Johnson provides a practical set of questions for assessing automated audit collection tools, including:
- Does the solution adequately support your technical environment (for example, Azure, Google Cloud, or on-premises servers)? Will it connect and can internal audit use it to obtain accurate data?
- Are related technologies (including endpoint protection, mobile device management, firewalls, vulnerability scanners, ticketing systems, audit logging, and monitoring) covered? Also, are non-technical areas, such as security awareness training solutions, covered?
- Is configuration to compliance standards (including HIPAA, HITRUST, and ISO 27001/02) easy?
- What is the level of reporting quality? There are tools that won’t adequately satisfy internal auditor needs regarding understanding source information, including dates and time stamps regarding pulled data.
- Is tool set up complicated when tailoring to the organization’s internal audit needs? Is there related overhead? What costs are involved in the overhead? How time consuming and expensive is the tool’s ongoing management?
Answering these questions will go a long way toward identifying the right tools to facilitate continuous auditing for individual organizations and specific areas of risk.
The Power of Continuous Auditing
The beauty of continuous auditing is found in its around-the-clock utility and ability to constantly search for areas of improvement. Fifteen years ago, Lisa Beach delved into the topic of continuous audit in an Internal Auditor Online article titled, “Making the Change to Continuous Auditing,” by stating: “The power of continuous auditing lies in its ability to detect control gaps and weaknesses in a real-time environment, making it possible to report fraud and rectify errors immediately.”
Continuous auditing fits extremely well into internal audit’s mandate, at some organizations, to play a bigger role in quality assurance. Perhaps most importantly, though, the continuous approach allows internal audit to direct organizational resources to the most pressing issues immediately, which is essential for the uncertain, fast-changing environment companies are operating in today. By more rapidly and effectively advising management to current and emerging risks, continuous auditing has the capacity to elevate internal audit’s organizational value and, in some organizations, the power to change the dynamic with key stakeholders.
Gabriel Oviedo, is VP – Internal Audit at Nielsen Holdings LLC, an information, data, and market measurement firm. Nielsen operates in over 100 countries and employs approximately 44,000 people worldwide. In Nielsen’s international markets, Gabriel is responsible for compliance to the standards set by the industry’s regulating body.
Excellent article and insights! I managed a business QA unit for a director with a low-risk appetite, and together we made an incredible impact, passed internal audits, and received a pass on the next audit. Leadership with a high risk appetite who have critical, high risk functions should read this article. Top leadership would be wise to put low-risk management in place for critical functions so the business gets the attention it deserves.
This piece is really great. Add value and I will try to work on the implementation of “continous audit”. Tq
Well articulated. With the rapid change in technology and business environments, continous audits are inevitable. Auditors have to change from historical to proactive audits.
I do not agree with this position in the article. Involving in the continous auditing from internal audit can affect to the organizational independence of IA in the company, because of big and unlimited interference to the business operations by internal auditors. Continous auditing can be conducted by business units themselves not by internal audit department.
Of course, this business model can be comfortable to small business units however it is on edge of violation of basic governance principle concerning organizational independence of IA in organization.
I find the article very interesting and I think that as an auditor you should always implement this type of improvement and not be left behind on the subject, this with the growing changes in the market due to different factors