Continuous Auditing – is it really “auditing”?

Thomson Reuters’ magazine “Internal Auditing” has an article in their current January/February edition called “The Value-Added Significance of Continuous Auditing”. This is my rant because I continue to chafe at the concept of continuous auditing.

Let me preface this by saying that I am not an expert on continuous auditing. Quite the opposite. I’ve been reading about it for years but have never found its basic premise to be sufficiently compelling to encourage me to develop any expertise.

Now, on its face, there is clear logic for reviewing controls more frequently than less frequently. But every time I imagine which controls I could actually review by continuous auditing, I stumble. I first image detailed reviews of “exception conditions” that might be highlighted through automation. But in my book, that’s the role of management, not internal audit. Maybe it’s just semantics, but I can’t really conceive of anything that I would audit on a continuous basis. I go back to the assertion that continuous monitoring of a process is management’s role, not audit’s.

Audit’s role, in my view, is to stand apart from the process. To second-guess. To avoid getting caught up in execution of individual transactions and focus on the big picture – asking questions like “What is this function trying to accomplish? What are the risks? How is management monitoring and mitigating those risks? Is management’s monitoring process sufficient, efficient and effective?

The article that I mentioned at the top of this post asserts a difference between continuous monitoring and continuous auditing. I can accept their assertion that management is responsible for continuous monitoring. But their further implication is that continuous auditing is similar to a quality control function by assuring that management’s continuous monitoring is taking place. I don’t think that this definition of continuous auditing is a universal concept. I don’t feel that my profession and my experience is in any way aligned with quality control monitoring. It seems that this view simply doesn’t align with the words “continuous auditing”.

So I’m back to my starting point. Continuous auditing is so fuzzy that it is, to me, unusable – yet it keeps getting discussed in the literature as a critical leap forward for internal audit.

What am I missing?