This chapter includes a literature analysis concern continuous control monitoring and continuous control auditing where the chapter begins with a definition of these two programs and how they are related. The chapter also discusses the traditional methods of monitoring and auditing by comparing them to the new models of monitoring and auditing. Additionally, the chapter also discusses the benefits of these programs, application CM on other parties, barriers to adopting these systems, their maturity models, phases of implementations and how to change from manual to automatic controlling. The chapter also illustrates the external and internal auditing and how the external auditors can rely on information from internal auditors.
Theoretical Framework
This study rests on theories related to assurance, continuous auditing, and trust. Brief overview of these categories is provided followed by a detailed description of assurance, trust, and a clarification of the auditing environment within the context of this research.
Continuous Assurance
the International Auditing and Assurance Standards Board (IAASB) defines assurance as an engagement in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria (IAASB, 2005). It implies that an assurance activity is intended to raise the trust of the user in the reliability of the engagement. The key words here are trust and reliability. An assurance engagement comprises the practitioner, the intended user, and the responsible party. In the context of this study, the audit professionals from Baker Tilly Berk Netherlands are the practitioners performing the assurance activity on behalf of the responsible party (Dutch municipalities), for the intended user (the public). An auditor relies on data given by the responsible party to carry out the assurance engagement. The possibility that the data provided may not be 100% accurate implies that attainment of 100% assurance is not possible; hence, the three levels of assurance absolute, limited, and reasonable assurance (Page, 2006). It is in the best interest of all the stakeholders that the current program aspires for reasonable assurance (the highest level of engagement possible). It is on the backdrop of this limitation that continuous monitoring and auditing are called for to increase the accuracy of data collected (Vasarhelyi, Alles, & Kogan, 2004).
The outcome of the audit should provide to the stakeholders the assurance that the performance of the program is reliable. Elliot (1995) suggested that a third party can provide reasonable assurance (whether financial or non financial, phenomena or systems, direct or indirect) to the responsible party if the audit criteria is met.
Vasarhelyi and Harper (1991) introduced the concept of continuous assurance in organisations. Vasarhelyi et al. define continuous assurance as a progressive shift in audit practices towards the maximum possible degree of audit automation as a way of taking advantage of the technological basis of the modern entity in order to reduce audit costs and increase audit automation (2005 p5). It refers to the uninterrupted monitoring of processes that allows for continuous controls and risks monitoring and gather evidence using information technologies (otherwise referred to as computer-assisted audit techniques (CAATs)). Some studies have detailed the benefits of high frequency continuous continuous auditing as increased reliability and trust (ISACA, 2010; Vasarhelyi, 2010). However, they also cited the high costs associated with conducting frequent audits.
2.1 Continuous control monitoring and Continuous control auditing
Continuous control monitoring has been described as the process and technology applied in detecting compliance, risks, and controlling issues facing the organization's financial and operational processes (ISACA, 2010; Kyriazoglou, 2012; Chiu et al., 2014). It involves standardized and automated monitoring and auditing process (Deloitte, 2017). In CCM, the IT assets are connected with a program where they provide the management team with actionable and intelligent insights. CCM uses a tool that detects unusual transactions or processes in the organization (Vasarhelyi, Alles, & Kogan, 2004; Kyriazoglou, 2012).
According to Ames et al. (2015), when successfully implemented, continuous monitoring can enhance the ability of the management to quickly identify and solve issues, reduces errors and fraudulent activities, enhance cost savings, increase operation efficiencies, as well as reduce the costs of compliance. Put into context as an example to illuminate on the importance of continuous monitoring, an organisation that has implemented a control system realises that certain purchases can by-pass the procurement procedures and actually get paid for. The malpractice can continue as long as it is not detected. A continuous monitoring system can detect the problem at the earliest chance and help the management restore integrity.
On the other hand, continuous auditing facilitates internal audit personnel to acquire processes data constantly, and it supports all auditing activities (Kyriazoglou, 2012). Alles et al. (2002) described continuous auditing as the use of modern IT systems to the conventional audit products to perform control and risk assessments. Continuous monitoring and auditing are the cornerstones of internal audit. Most organizations audit executives are much aware of these programs and more so their benefits (Deloitte, 2017). The programs have become increasingly useful in safeguarding organizations against risks, regulatory activities, and agreement costs (Kyriazoglou, 2012).
Continuous control monitoring and auditing are both automated processes and can be confusing. However, they are very distinct programs (Kyriazoglou, 2012). However, they both provide executive officials with internal audit report concerning financial issues, accounting, and the possible risks. Continuous monitoring helps the management team to continually review the organization's processes regarding their adherence and nonconformity to the expected levels of performance and effectiveness (Kyriazoglou, 2012). Every organization has set standards that facilitate the organization to achieve its goals and objectives, especially in budgeting. A continuous review makes sure that the processes do deviate from the path and it assures the chief executives an effective and maximum performance. With the rising risks facing many organizations, CM has been considered essential for controlling risks, enhancing regulatory activities, and compliance (Kyriazoglou, 2012). On the other hand, continuous auditing facilitates the progressive collection of processes data that is used in anchoring auditing activities. Most organizations used to practice a quarterly or annual audit on the organization activities, before adopting the continuous auditing (Kyriazoglou, 2012, Vasarhelyi, Alles, & Kogan, 2004).
Nowadays, the organisations that have implemented continuous auditing techniques collect data more frequently the CAAT integrated programs. The control and risk assessments are real-time and provide the audit professionals with selective audit evidence using a set of predetermined rules within the shortest time possible (ISACA, 2010). The audit professional has to get reasonable assurance of the programs integrity, usefulness, reliability, and security via thorough planning, testing, and evaluation of the program (ISACA, 2010). Vasarhelyi et al. suggests that the role of continuous auditing is to monitor the functionality of internal controls, verification of data integrity, and dynamic measurement of risk for audit planning (2010, p.32).
The concept of continuous control and auditing has attracted a growing body of literature. The idea has increasingly grown from its formative stages of theory around three decades ago into practice. Alles, Kogan, and Vasarhelyi (2008) surveyed the state of continuous auditing in firms. They reported that the concept is increasingly being put into practice in many organizations. Brown, Wong, and Baldwin (2007) cite the importance of information technology and webbased applications in making monitoring and control of operations through continuous auditing. The call for continuous audit work stem from technical, organizational and cultural changes. Organizations are increasingly coming under pressure to improve their levels of transparency and accountability. The development of CA and CM has its antecedents in the six sigma theory and the theory of constraints. As the organizations focus on their internal controls over the day to day operations, they decide priority areas where they can improve efficiency. The operating environment for organizations is interlinked with others, which require that data be exchanged between companies. They partner with other entities whereby they exchange information and transaction data through electronic means. This requires enhanced scrutiny to ensure that integrity is maintained (Vasarhelyi, et al., 2004). The development of a framework for the implementation of CA/ CM program is preceded by need identification (identification of bottlenecks). The Theory of Constraints is a methodology for identifying such bottlenecks that stands in the way of implementing the CA and CM program then systematically improving that bottleneck until it is no longer a limiting factor (Nave, 2002; Hines, Holweg, & Rich, 2004).
2.2 Relationship between continuous monitoring and auditing
The link between continuous control monitoring and continuous auditing is that the both work hand in hand but they are independent programs (Vasarhelyi, Kuenkaikaew, & Alles, 2010). According to Vasarhelyi, Kuenkaikaew, & Alles, (2010), implementation of CA and CM, neither one of them needs to be present to facilitate the implementation of the other. Some organizations have used continuous auditing without CM, and nothing has failed. However, there is an inverse relationship between CM and CA whereby in areas where managers didn't implement CM, the auditors on the other end are required to improve on employing CA techniques. Again, when CM is comprehensively performed the internal audit manager will not require performing similar activities in those areas (Vasarhelyi, Kuenkaikaew, & Alles, 2010). A well-established CM function can provide the management team with visions put into their operations, which demand auditors to concentrate on different elements of risks in the organization. When an organization employs both CM and CA to assess results, the auditors get an easy way of generating assurance regarding the controls and the governance processes. From the relationship between CA and CM, it is now known that they work independently, but they give results of equal relevance. One of the basic factors of relationship is that the function of one process can be used to improve the other which only operate in one direction from CM to CA and not vice versa (Vasarhelyi, Kuenkaikaew, & Alles, 2010).
2.3 Components of Continuous AuditingAlthough both CM and CA are two related programs, each program has its integral parts. In CA, it is composed of three components, which include continuous control monitoring CCM, continuous data assurance CDA, and continuous risk monitoring and assessment CRMA (Halpert, 2011).
Continuous data assurance
CDA is responsible for verifying the validity of the data gathered in the information system during auditing (Halpert, 2011). This component relies on software to gather data from the IT programs which is then set for analysis to give more insigh...
Request Removal
If you are the original author of this essay and no longer wish to have it published on the customtermpaperwriting.org website, please click below to request its removal: