Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Continuous Assurance
Primary Related Standards
2320: Analysis and Evaluation
Internal auditors must base conclusions and engagement results on appropriate
analyses and evaluations.
1. The traditional testing of controls has been performed on a retrospective and cyclical
basis, often months after business activities have occurred, and frequently relies on
historical sampling techniques. Such sample-based audits may not meet the needs
of an organization, especially when the risk profile of an organization may require
more timely information. Because the pace of business and rate of organizational
change require more proactive identification of issues, technology can be leveraged
to identify potential problems and concerns more timely. Internal audit should
consider evaluating control effectiveness continuously, if warranted by the risk profile,
rather than using more traditional periodic historic testing of selected internal controls
and risks in an organization.
2. The IPPF Glossary defines assurance services as an objective examination of
evidence for the purpose of providing an independent assessment on governance,
risk management, and control processes for the organization. Continuous
assurance can best be achieved through a combination of managements continuous
monitoring responsibilities and internal audits continuous auditing activities.
3. Continuous monitoring is a management process that monitors whether internal
controls are operating effectively on an ongoing basis. Higher risk events (e.g.,
unusual or nonrecurring transactions) can be observed and flagged for additional
attention or testing. In addition to continuous monitoring processes, continuous
auditing routines developed by internal auditors, when appropriate, may be
transitioned to management, in which case they become continuous monitoring
procedures performed by management.
4. Many of the techniques management uses to continuously monitor controls are
similar to continuous auditing techniques that may be performed by the internal
auditor. The key to continuous monitoring is that the process should be owned and
performed by management as part of its responsibility to implement and maintain an
effective control environment. Because management is responsible for internal
controls, it should have a means to determine, on an ongoing basis, whether the
controls are operating as designed. By being able to identify and correct control
problems timely, the overall control system can be improved.
5. The annual audit plan should identify areas potentially subject to continuous auditing.
Internal audit should leverage the organizations risk management framework (if one
has been developed) as well as its own risk assessment, to identify these areas. The
Issued: June 2013
2013 The Institute of Internal Auditors
7. Once the objectives of continuous auditing have been defined, senior management
support should be obtained for the continuous auditing coverage.
8. Data files, such as detailed transaction files, often are only retained for a short time.
Therefore, the internal auditor should make arrangements for retaining appropriate
data. Access to programs/system and data should be arranged well in advance of
the needed time period to avoid interference with the production environment. The
internal auditor should assess the effect that changes to the production
programs/system, including access security, may have on the use of continuous
auditing routines. The internal auditor should obtain reasonable assurance of the
integrity, reliability, usefulness, and security of the continuous auditing routines
through appropriate planning, design, testing, processing, and review of
documentation.
9. The internal auditor should examine the adequacy of managements continuous
monitoring activities. This will determine how much reliance internal audit can place
on the organizations control environment which will impact the nature and frequency
of the audit work to be performed.
10. The internal auditor should consider the objectives of continuous auditing, the risk
appetite of the enterprise, and the level and nature of managements continuous
monitoring, when setting the timing, scope, and coverage of continuous auditing
tests.
11. The frequency of continuous auditing activities will range from real-time to periodic
analysis of detailed transactions, snapshots, or summarized data. The frequency will
depend on the level of risks associated with the system or process being examined
as well as the adequacy of continuous monitoring performed by management and
the resources available. Critical systems with key controls may be subject to realtime analysis of transactional data. The internal auditor should consider the
regulatory requirements and the degree to which management is addressing the risk
Issued: June 2013
2013 The Institute of Internal Auditors