Six Steps to an Effective Continuous Audit Process, By Carlos Elder de Aquino

Six Steps to an Effective Continuous Audit Process

Establishing priority areas and determining the process’ frequency are two of the six steps that internal auditors and senior managers need to take into consideration before making the switch to continuous auditing.

The need to improve and accelerate audit activities has led in part to the increased adoption of continuous auditing as a vital monitoring tool. Initially recorded at AT&T Corp. by its Bell Laboratories research center during the late 1980s and early 1990s, continuous audit efforts are now under way in organizations including Siemens, HCA Inc., Unibanco, the New York Federal Reserve, and IBM. Additionally, legislation such as Section 404 of the U.S. Sarbanes-Oxley Act of 2002 and audit software vendors, including ACL, IDEA, Approva, and Oversight, are molding and giving large momentum to the continuous audit field. Consequently, as continuous auditing continues to grow around the world, internal auditors and senior managers need to understand the necessary actions required to support an effective continuous audit process, including establishing audit priority areas and determining the process’ frequency.


When organizations begin evaluating the adoption of continuous auditing, three common issues usually arise that if expected can be managed effectively. First, is the confusion among auditors and senior management regarding the differences between continuous auditing and continuous monitoring. Second, is the need for auditors to understand the role of continuous auditing as a meta control (i.e., a control of controls). And third, is the concern that implementing continuous auditing will lead to a loss of independence and objectivity as audit professionals become operationally involved in the process. While the way in which companies address these challenges will be unique to their organization, the following best practices can help them prepare for these issues.

Continuous Monitoring Vs. Continuous AuditingTypically, continuous monitoring is a management function to ensure that company policies, procedures, and business processes are operating effectively and addresses management’s responsibility to assess the adequacy and effectiveness of internal controls. In addition, continuous monitoring usually involves the automated testing of all transactions and system activities within a given business process area against control rules. Monitoring may occur on a daily, weekly, or monthly basis based on the nature of the underlying business cycle.


Although many of the continuous monitoring techniques used by management are similar to those performed by internal auditors during continuous audit activities, continuous auditing usually enables auditors to evaluate the adequacy of management’s monitoring function and identify and assess risk areas. In addition, clearly communicating the differences between the two will aid in avoiding confusion or resistance to continuous auditing as a redundant effort. (For more information about the differences between continuous monitoring and continuous auditing, please refer to The IIA’s�GTAG on continuous auditing.)

Meta Control
Continuous auditing also tends to be dynamic in nature (i.e., the auditor can turn continuous audit processes on and off based on current system loads by reconfiguring these activities according to the internal audit plan). Therefore, by monitoring particular configurable items, continuous auditing provides an additional level of controls and acts as a metal control.

For example, a bank can issue an alarm under pre-specified circumstances to the bank manager’s supervisor whenever loans reach a pre-authorized level. This activity then increases the level of controls that can be configured, such as by including the choice to have an alarm issued and under which circumstances.

Figure 1

Figure�1.�Illustration of the continuous audit process’ dynamic nature

Independence and Objectivity
Finally, because continuous audit activities are different from those taking place during a more traditional audit, audit principles need to be re-conceptualized. This is because continuous auditing often places the auditor in the middle of the transaction flow. For instance, at a major US-based electronic brokerage firm that monitors its client’s electronic transactions, auditors are notified when a transaction is blocked after certain analytical parameters are met. The auditor then deals directly with the client. As this example illustrates, it is important for internal auditors to make sure that the continuous audit process has a system of checks and balances to maintain the independence and objectivity of their work throughout the audit.


Once the issues above are understood by managers and auditors alike, the organization will be in a better position to begin using continuous auditing. Generally, the implementation of continuous auditing consists of six procedural steps, which are usually administered by a continuous audit manager. Knowing about these steps will enable auditors to better monitor the continuous audit process and provide recommendations for its improvement, if needed. These steps include:

  1. Establishing priority areas.
  2. Identifying monitoring and continuous audit rules.
  3. Determining the process’ frequency.
  4. Configuring continuous audit parameters.
  5. Following up.
  6. Communicating results.

Below is a description of each.

Figure 2 2-10-08

Figure 2.�Continuous audit implementation steps

1. Establishing Priority Areas
The activity of choosing which organizational areas to audit should be integrated as part of the internal audit annual plan and the company’s risk management program. Many internal audit departments also integrate and coordinate with other compliance plans and activities, if applicable. (Steps 2-6 below are applicable to all of the priority areas and processes being monitoring as part of the continuous audit program.)

Typically, when deciding priority areas to continuously audit, internal auditors and managers should:

  • Identify the critical business processes that need to be audited by breaking down and rating risk areas.
  • Understand the availability of continuous audit data for those risk areas.
  • Evaluate the costs and benefits of implementing a continuous audit process for a particular risk area.
  • Consider the corporate ramifications of continuously auditing the particular area or function.
  • Choose early applications to audit where rapid demonstration of results might be of great value to the organization. Long extended efforts tend to decrease support for continuous auditing.
  • Once a demonstration project is successfully completed, negotiate with different auditees and internal audit areas, if needed, so that a longer term implementation plan is implemented.

When performing the actions listed above, auditors need to consider the key objectives from each audit procedure. Objectives can be classified as one of four types: detective, deterrent (also known as preventive), financial, and compliance. A particular audit priority area may satisfy any one of these four objectives. For instance, it is not uncommon for an audit procedure that is put in place for preventive purposes to be reconfigured as a detective control once the audited activity’s incidence of compliance failure decreases.

2. Monitoring and Continuous Audit Rules
The second step consists of determining the rules or analytics that will guide the continuous audit activity, which need to be programmed, repeated frequently, and reconfigured when needed. For example, banks can monitor all checking accounts nightly by extracting files that meet the criterion of having a debt balance that is 20 percent larger than the loan threshold and in which the balance is more than US $1,000.

In addition, monitoring and audit rules must take into consideration legal and environmental issues, as well as the objectives of the particular process. For instance, how quickly a management response is provided once an activity is flagged may depend on the speed of the clearance process (i.e., the environment) while the activity’s overall monitoring approach may depend on the enforceability of legal actions and existing compliance requirements.

3. Determining the Process’ Frequency
Although the process is called continuous auditing, the word continuous is in the eye of the beholder. Auditors need to consider the natural rhythm of the process being audited, including the timing of computer and business processes as well as the timing and availability of auditors trained or with experience in continuous auditing. For instance, although increased testing frequency has substantial benefits, extracting, processing, and following up on testing results might increase the costs of the continuous audit activity. Therefore, the cost-benefit ratio of continuously auditing a particular area must be considered prior to its monitoring.

Furthermore, other tools used by the manager of the continuous audit function include an audit control panel in which frequency and parameter variations can be activated. Hence, the nature of other continuous audit objectives, such as deterrence or prevention, may determine their frequency and variation.

4. Configuring Continuous Audit Parameters
Rules used in each audit area need to be configured before the continuous audit procedure (CAP) is implemented. In addition, the frequency of each parameter might need to be changed after its initial setup based on changes stemming from the activity being audited. Hence, rules, initial parameters, and the activity’s frequency ? also a special type of parameter ? should be defined before the continuous audit process begins and reconfigured based on the activity’s monitoring results.

When defining a CAP, auditors should consider the cost benefits of error detection and audit and management follow-up activities. For instance, in the example of the bank described earlier, the excess threshold of US $1,000 could lead to a number of false negatives (e.g., values that were ignored when the balance was smaller than US $1,000 but were identified as representing a problem) and a number of false positives (e.g., values with balances above US $1,000 that were flagged but were accurate). If the threshold is increased to US $2,000, there will be an increase in false negatives and a decrease in false positives. Because follow up costs would go up as the number of false positives increases and the presence of false negatives may lead to high operational costs for the organization, internal auditors should regularly reevaluate if error detection and follow-up activities need to be continued, reconfigured, temporarily halted, or used on an ad hoc basis.

Furthermore, the stratification of audited data into sub-groups allows organizations to better monitor the activity and reconfigure any parameters (e.g., auditors will be notified when balances larger than 20 percent of the debt remain that are also larger than US $5,000). However, the more complex the rule and its conditional components, the more parameters that must be examined, monitored, and sometimes reconfigured.

5. Following Up
Another type of parameter relates to the treatment of alarms and detected errors. Questions such as who will receive the alarm (e.g., line managers, internal auditors, or both ? usually the alarm is sent to the process manager, the manager’s immediate supervisor, or the auditor in charge of that CAP) and when the follow-up activity must be completed, need to be addressed when establishing the continuous audit process.

Additional follow-up procedures that should be performed as part of the continuous audit activity include reconciling the alarm prior to following up by looking at alternate sources of data and waiting for similar alarms to occur before following up or performing established escalation guidelines. For instance, the person receiving the alarm might wait to follow up on the issue if the alarm is purely educational (i.e., the alarm verifies compliance but has no adverse economic implications), there are no resources available for evaluation, or the area identified is a low benefit area that is mainly targeted for deterrence.

6. Communicating Results
A final item to be considered is how to communicate with auditees. When informing auditees of continuous audit activity results, it is important for the exchange to be independent and consistent. For instance, if multiple system alarms are issued and distributed to several auditees, it is crucial that steps 1-5 take place prior to the communication exchange and that detailed guidelines for individual factor considerations exist. In addition, the development and implementation of communication guidelines and follow-up procedures must consider the risk of collusion. Much of the work on fraud indicates that the majority of fraud is collusive and can be performed by an internal or external party. For example, in the case of dormant accounts, both the clerk that moves money and the manager that receives the follow-up money may be in collusion since the manager’s key may have to be used for certain transactions.


Besides the six steps described in the previous section, two additional issues that emerge when implementing continuous auditing are the infrastructure needed for the process to work and its impact on the workplace.

Organizational Infrastructure
Because continuous auditing is a part of the company’s audit function, it must be kept independent of management. Therefore, during the planning stages, auditors need to keep in mind the process’ independence when designing its structure. For instance, a typical internal audit department is structured so that areas of the department focus on different cycles or business activities. In addition, the department may be divided into financial and IT audit functions.

Sometimes, however, IT audit activities are incorporated as part of existing IT operations. In organizations such as these, the development of continuous auditing is usually delayed because the activity may not get the necessary development priority. Regardless of whether IT audit activities are part of the organization’s IT or internal audit department, the organization must maintain the process’ independence as well as allocate resources in support of continuous audit activities.

Impact on Personnel
In addition, the audit manager in charge of the continuous audit process should have a more technical understanding of IT as well as extensive experience on the activities being audited. However, hiring, training, and retaining auditors who can implement and monitor continuous audit activities might be challenging due to the scarcity of internal auditors with knowledge in the area. Furthermore, the continuous audit process might create a daily stream of issues that need to be resolved, which might prove stressful given current personnel resources, and might require the continuous audit manager to exert adequate authority in moments of exceptions.


While more organizations are progressively implementing continuous auditing ? and, along the way, improving the quality of the data gathered during each audit ? auditors and managers that are looking to implement a continuous audit approach need to be willing to move beyond their traditional yearly audit activities. Although not a lot of guidance exists today about the best ways to implement a continuous audit process, as with any major change, the evolution toward continuous auditing will take time and substantial attention from senior management.




7 Common KPIs for Production Monitoring

7 Common KPIs for Production Monitoring

Strategic philosophies or practices such as Kaizen, Lean Manufacturing, Six Sigma, Total Quality Management and Continuous Improvement are used by many organizations to help improve processes, drive productivity and maintain a competitive edge in todays ever?increasing global economy. Despite varying concepts,


[Read more…]

Difference Between Accuracy and Precision by Farhana synthi


The accuracy is the comparison between measurement and the true or most probable value. The comparison is done with regard to the error i.e. the accuracy is inversely proportional to the error. Accuracy is a general concept and it expresses the correctness of a measurement. Only single measurement provide accurate result. Accuracy can be determined by absolute method & comparative method.

Precision: [Read more…]

Process Capability Applications in ISO 13485 Following ISO/TR 10017 – Webinar By GlobalCompliancePanel by Dan OLeary


cpkwebYou can improve the implementation and effectiveness of your Quality Management System (QMS) by using statistical techniques. The techniques are broadly applicable across the QMS. ISO provides a technical report that explains a number of statistical techniques. The report also lists the QMS where the specific techniques apply.

Why you should attend: Process Capability Analysis (PCA) is a powerful tool used to describe, troubleshoot, and improve (Quality Management System) QMS processes. This webinar will help you understand the concepts of PCA and show you applications in your QMS.

Your Quality Management System (QMS) should be able to address these questions quickly and easily. If not, then your team needs to attend this webinar!

* Do you report process capability indices at your Management Review?
* Do you use PCA and capability indices to help you identify and prioritize improvement activities?
* Have you validated processes and improved them to ensure a Cpk? 1.33?
* Do you use PCA to help evaluate your suppliers and the product and services they provide? [Read more…]

Determining between a PPK and CCK Business Process by Laurence Solis

TolAnalyse07If you are a team leader or manager in a business organization, one must be able to determine the structure of an Organizational Development. An Organizational Development (OD) is a theoretical, organization-wide effort that aims to promote an organization’s effectiveness and capability. A term referred to as Process Improvement is categorized under this sector. Actions involved are aimed at improving a business process through identifying problems and analyzing solutions. The primary aim of this process is to evaluate the current goals and objectives of an organization.

With your goal in Process Improvement, among the things that you need to learn is understanding the difference between PPK and CCK. Let’s start by defining what PPK is.

* Search for a dependable source to help you start boosting your business processes by setting up a PPK Business model.

[Read more…]

Data, Variation and Process Capability of Six Sigma by Jamesmiller

Cp-Cpk-formulasThis chapter is a detailed discussion of the basics of data, variation and Statistical Control. You will learn here how to understand a distribution graph, Understand what process capability is and to enumerate the various methods and indices used to calculate the process capability.

Data Facts – Basic nature of data

Two kinds of data are normally found in any organization:

1. Continuous Data

Data which can be measured and which characterizes a product or some process features in terms of its size, weight and volts. This type of data is said to be continuous by nature. In other words, the measurement scale can be meaningfully divided into finer and finer increments using the concept of least count.

2. Discrete Data [Read more…]

What is a KPI? by Kevin Dwyer

A Key Performance Indicator (KPI) is neither a Goal, nor a Key Result Area (KRA), nor a Target, nor a Result nor a Critical Success Factor. And yet these terms are often used interchangeably with a KPI.

A KPI defines itself, to a large extent, by its name; it is a performance indicator, i.e. the performance of the process it is measuring should be clearly indicated by the KPI.

This should clarify that the purpose of a KPI is not, for example, to measure the risk of a process, nor its age, nor its length, but its performance.

Further, a KPI should be key, not just any casual measure of a process (or a business as a whole); this can be taken as the KPI being closely correlated with the objectives of the process being measured.

An important and often overlooked aspect of a KPI not contained within its name is that it measures a continuous or discrete but repeated process.

Typical continuous processes include manufacture (toothpaste production, widget manufacture) and service where the dimensions are large (credit management for large public utilities, help desk for large IT installations).

Sometimes services which look to be custom when considered at an individual level (your neighbour’s knee surgery operation) can also be considered as almost continuous when considered at a coarse enough level of granularity (knee surgery in Australia in the ’90s).

Typical discrete, repetitive processes include service (PC installation, car sales andhotelcheck-in).

All of this ought to be self-evident, but it is common to see. For example, Target Completion Dates or Product Specifications (or both) labelled as KPIs.

Where the intention is to measure once-off performance of a project, or as part of a business plan, a specification or target date (or both) will suffice; labelling it a KPI is both unnecessary and confusing.

Moreover, developing only one off measures as a proxy for real KPIs puts a business at risk.

The implication of using one off performance measures in lieu of key performance indicators is that many organisations do not know how well they are performing. That is, until, a significant universal lagging KPI such as profitability or lost time injury frequency ratio reaches unacceptable levels.

Lag, Current and Lead

Timing of KPIs, relative to achievement of corporate goals, is fundamental in choosing good candidate KPIs. Financial results, such as last quarter’s revenue, are typically lagged by 2+ months. Annual results, especially fiscal year results, can be much more delayed.

With such lags, the problem arises as to what action might be appropriate to alter the direction of the department’s performance, when the KPIs are measuring results in the past.

A correction may be inappropriate when the current performance has already significantly altered from that measured some time ago and may result in overcorrection.

Lag indicators should rarely be considered as a KPI as the benefit of KPI is to adjust processes and behaviour to get better performance.

KPIs measuring current performance are more useful. Examples include today’s bookings, sales or production level. As always, care must be taken not to allow instant results to result in instant reactions which, in turn, reinforce the original problem.

Other KPIs are of the leading type; their measures are predictive of desired results at the next higher level.

An example of such a leading indicator for market share is customer satisfaction with the organisation’s products and service. It is important to note though, that customer satisfaction survey output is a lagging indicator of customer service.

The primary difficulty with leading KPIs is to be sure that they are strongly correlated with the required corporate goals; modelling and understanding of key business drivers is necessary.

The corollary, of course, is that taking the time and effort to determine the key business drivers will result in a useful KPI rather than a number which is reported on monthly but caused no action to happen even when it strays outside its range of limits.

More than the nature and the design, a KPI must be understood by all staff. Further, all staff must know the corrective action to be applied. The corrective action must impact the KPI.

For example, completing plant production runs to schedule for a manufacturing plant impacts lead time which impacts stock levels, purchasing levels, in-full delivery, employee satisfaction and customer satisfaction. The deviation from production schedule of production is a leading indicator of a wide range of performance indicators.

Understanding that deviation from production schedule is key enables all people in the plant to apply corrective action to keep to the schedule. The resultant improvement in lead time improves many other dependent indicators including productivity.

Choosing an indicator like productivity as key only has an impact on costs and few people would understand what to do other than work faster or spend capital on automation.

KPIs in most organisations are actually targets, key project dates, key result areas or tasks. As a result, performance is not actually managed.

Having well thought through KPIs and acting on them with the confidence that action will cause a change in performance is well worth the investment in time and corporate brain-power it takes to develop, select and test Key Performance Indicators.

About the Author

Kevin Dwyer is the founder of Change Factory. Change Factory helps organisations who do do not like their business outcomes to get better outcomes by changing people’s behaviour. Businesses we help have greater clarity of purpose and ability to achieve their desired business outcomes. To learn more or see more articles visit email 2006 Change Factory


KPI Template for Executive Dashboards by Samuelperth

When it comes to performance management, charts, spreadsheets and dashboards are more than outdated. Current strategies involve complex KPI sets that focus on directing the organization to the right path in order to achieve success. Choosing the perfect KPI template will come with benefits on the short and the long term as well. In a balanced scorecard, there are four perspectives that encourage the identification of relevant financial and non-financial measures.
Performance management is an approach that facilitates and improves the overall performance of a company and its employees. The strategies used in function of HR are driven towards ensuring that the goals and the mission of an organization are constantly being met in an efficient manner. It uses knowledge and technology in order to manage behavior and results, which are the two elements that sustain performance. This kind of strategies can be implemented in any type of organization: from businesses, to schools, hospitals, churches, social events or even sports teams. It can basically be applied wherever a group of people interact with each other.
Years of research have proven that there is an immediate correlation between performance management strategies and enhanced organizational results. The benefits will include not only a fast and considerable financial gain, but also a better motivated workforce and improved management control. The main goal of this approach is to determine key objectives for every business and job. [Read more…]

Catalogue of KPI Examples by Samuelperth

Performance cannot exist without setting at least one goal on the long term. This is what a KPI template aims for. Once a particular objective has been defined, monitoring performance allows you to step in and make key decisions at the right time. There are thousands of KPI examples available online, but only the right combination will help you improve your business’s performance and create the outcome you have desired.

Key performance indicators, or KPI, as they are also known help a company or an organization measure its progress according to its initial goals. For beginners, that are trying to make an understanding of what thesestrategytools are, the amount of information available might be a little overwhelming. A simple search on google leads to thousands of references in seconds. This can only prove the importance of working with such indicators. Therefore, the question is inevitable: what is it that makes their existence crucial for the wellbeing of a company? [Read more…]

Product And Service Quality Enhancement With Total Quality Management by Zerger Klein

An in general total excellent quality management process enables organizations to integrate all their good qualitysoftwareprogram in only one particular, unified system, be accountable for many benefits that correspond with both equally profitability and regulating compliance. To get able to take complete gain of it, nevertheless, the entire organization should absolutely take the basic suggestions of quality and accurately how they have an impact on each particular person. The aims are highly evident and obvious to determine. The quite number one objective could be to satisfy a customer’s expectations with each other with small business survival and firm growth. The 2nd objective might be the steady enhancement of in general small business superior. The ultimate essential objective could well be to build trust amid all of the employees on all amount of a business enterprise. TQM encourages innovation, inspires staff, and constitutes a company way more adaptable when adjust will come reduce the pipeline. [Read more…]