Continuous Auditing

Cover of Continuous Auditing

Theory and Application



Table of contents

(20 chapters)

The advances and continuous development of technology have been identified as significant influences on the accounting profession (AICPA, 1998). In the last twenty years, both academia and the accounting profession have been giving much attention to the demand and opportunity for audits to be performed automatically, continuously and in nearly real time. This paper presents a comprehensive review of continuous auditing research by providing an overview of the emergence and growth of the continuous auditing literature and classifying the extant continuous auditing research on the basis of four research characteristics indicated by a newly developed research taxonomy.


The evolution of MIS technology has affected traditional auditing and created a new set of audit issues. This paper describes the Continuous Process Auditing System (CPAS) developed at AT&T Bell Laboratories for the internal audit organization that is designed to deal with the problems of auditing large paperless real-time systems. The paper discusses why the methodology is important and contrasts it with the traditional audit approach. CPAS is designed to measure and monitor large systems, drawing key metrics and analytics into a workstation environment. The data are displayed in an interactive mode, providing auditors with a work platform to examine extracted data and prepare auditing reports. CPAS monitors key operational analytics, compares these with standards, and calls the auditor’s attention to any problems that may exist. Ultimately, this technology will utilize system probes that will monitor the auditee system and intervene when needed.


This paper demonstrates an approach to address the unique control and security concerns in database environments by using audit modules embedded into application programs. Embedded audit modules (EAM) are sections of code built into application programs that capture information of audit significance on a continuous basis. The implementation of EAMs is presented using INGRESS a relational database management system. An interface which enables the auditor to access audit-related information stored in the database is also presented. The use of EAMs as an audit tool for compliance and substantive testing is discussed. Advantages and disadvantages of employing EAMs in database environments and future directions in this line of research are discussed.


The progressive computerization of business processes and widespread availability of computer networking make it possible to dramatically increase the frequency of periodic audits by redesigning the auditing architecture around Continuous Online Auditing (COA). Continuous auditing is viewed here as a type of auditing that produces audit results simultaneously with, or a short period of time after, the occurrence of relevant events. It is arguable that continuous auditing can be implemented only as an online system, i.e., a system that is permanently connected through computer networking to both auditees and auditors. This article proposes a research agenda for the emerging field of COA. First, the history, institutional background, feasibility of and some experiences in COA are briefly reviewed. Thereafter, a number of research issues relating to the architecture of COA, factors affecting the use of COA, and the major consequences of COA are presented. Finally, a selected number of research issues are highlighted as priorities for future research in COA.


Given the growing interest in the topic, both in practice and academia, it is timely and important to examine the concept of continuous assurance (CA) and the possible paths along which such services will evolve. There has been a tendency to see CA purely from the point of view of its technological enablers. As such, it has virtually been taken for granted that CA will follow as a matter of course. What has been less thought through is the business architecture that must underlie CA. In particular, we show that the key driver of CA is the demand for it. While there may be many economic transactions between the company and its stakeholders that could benefit from the provision of CA, there is no guarantee that CA is either cost effective—the only way of enhancing efficiency—or actually has to be continuous. Other factors that will affect the development of CA are the need for a new infrastructure to pay for it, as well as concerns about the independence of the assurors. We also identify some important research issues.


The digital economy has significantly altered the way business is conducted and financial information is communicated. A rapidly growing number of organizations are conducting business and publishing business and financial reports online and in real-time. Real-time financial reporting is likely to necessitate continuous auditing to provide continuous assurance about the quality and credibility of the information presented. The audit process has, by necessity, evolved from a conventional manual audit to computer-based auditing and is now confronted with creating continuous electronic audits. Rapidly emerging information technology and demands for more timely communication of information to business stakeholders requires auditors to invent new ways to continuously monitor, gather, and analyze audit evidence. Continuous auditing is defined here as “a comprehensive electronic audit process that enables auditors to provide some degree of assurance on continuous information simultaneously with, or shortly after, the disclosure of the information.” This paper is based on a review of related literature, innovative continuous auditing applications, and the experiences of the authors. An approach for building continuous audit capacity is presented and audit data warehouses and data marts are described. Ever improving technology suggests that the real-time exchange of sensitive financial data will place constant pressure on auditors to update audit techniques. Most of the new techniques that will be required will involve creation of new software and audit models. Future research should focus on how continuous auditing could be constantly improved in various auditing domains including assurance, attestation, and audit services.


The advent of new enabling technologies and the surge in corporate scandals has combined to increase the supply, the demand, and the development of enabling technologies for a new system of continuous assurance and measurement. This paper positions continuous assurance (CA) as a methodology for the analytic monitoring of corporate business processes, taking advantage of the automation and integration of business processes brought about by information technologies. Continuous analytic monitoring-based assurance will change the objectives, timing, processes, tools, and outcomes of the assurance process.

The objectives of assurance will expand to encompass a wide set of qualitative and quantitative management reports. The nature of this assurance will be closer to supervisory activities and will involve intensive interchange with more of the firm s stakeholders than just its shareholders. The timing of the audit process will be very close to the event, automated, and will conform to the natural life cycle of the underlying business processes. The processes of assurance will change dramatically to being meta-supervisory in nature, intrusive with the potential of process interruption, and focusing on very different forms of evidential matter than the traditional audit. The tools of the audit will expand considerably with the emergence of major forms of new auditing methods relying heavily on an integrated set of automated information technology (IT) and analytical tools. These will include automatic confirmations (confirmatory extranets), control tags (transparent tagging) tools, continuity equations, and time-series cross-sectional analytics. Finally, the outcomes of the continuous assurance process will entail an expanded set of assurances, evergreen opinions, some future assurances, some improvement on control processes (through incorporating CA tests), and some improved data integrity.

A continuous audit is a methodology that enables independent auditors to provide written assurance on a subject matter, for which an entity’s management is responsible, using a series of auditors’ reports issued virtually simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter.

  • CICA/AICPA Research Study on Continuous Auditing (1999)

CICA/AICPA Research Study on Continuous Auditing (1999)

Companies must disclose certain information on a current basis.

  • Corporate and Auditing Accountability, Responsibility, and Transparency (Sarbanes-Oxley) Act (2002)

Corporate and Auditing Accountability, Responsibility, and Transparency (Sarbanes-Oxley) Act (2002)


In this paper we report on the approach we have developed and the lessons we have learned in an implementation of the monitoring and control layer for continuous monitoring of business process controls (CMBPC) in the US internal IT audit department of Siemens Corporation. The architecture developed by us implements a completely independent CMBPC system running on top of Siemens’ own enterprise information system which has read-only interaction with the application tier of the enterprise system. Among our key conclusions is that “formalizability” of audit procedures and audit judgment is grossly underestimated. Additionally, while cost savings and expedience force the implementation to closely follow the existing and approved internal audit program, a certain level of reengineering of audit processes is inevitable due to the necessity to separate formalizable and non-formalizable parts of the program. Our study identifies the management of audit alarms and the prevention of the alarm floods as critical tasks in the CMBPC implementation process. We develop an approach to solving these problems utilizing the hierarchical structure of alarms and the role-based approach to assigning alarm destinations. We also discuss the content of the audit trail of CMBPC.


In the almost twenty years since Vasarhelyi and Halper (1991) reported on their pioneering implementation of what has come to be known as Continuous Auditing (CA), the concept has increasingly moved from theory into practice. A 2006 survey by PricewaterhouseCoopers shows that half of all responding firms use some sort of CA techniques, and the majority of the rest plan to do so in the near future. CA not only has an increasing impact on auditing practice, but is also one of the rare instances in which such a significant change was led by the researchers. In this paper we survey the state of CA after two decades of research into continuous auditing theory and practice, and draw out the lessons learned by us in recent pilot CA projects at two major firms, to examine where this unique partnership between academics and auditors will take CA in the future.


The traditional audit paradigm is outdated in the real time economy. Innovation of the traditional audit process is necessary to support real time assurance. Practitioners and academics are exploring continuous auditing as a potential successor to the traditional audit paradigm. Using technology and automation, continuous auditing methodology enhances the efficiency and effectiveness of the audit process to support real time assurance. This paper defines how continuous auditing methodology introduces innovation to practice in seven dimensions and proposes a four-stage paradigm to advance future research. In addition, we formulate a set of methodological propositions concerning the future of assurance for practitioners and academic researchers.

Cover of Continuous Auditing
Publication date
Book series
Rutgers Studies in Accounting Analytics
Series copyright holder
Emerald Publishing Limited