Continuous Auditing: Leveraging Technology
By DeWayne L. Searcy and Jon B. Woodroof
The following comments from Big Four audit partners emphasize that the time for the continuous audit (CA) has come:
CA services offer considerable advantages over traditional auditing, but they also present significant hurdles in implementation.
What Is a CA?
According to the CICA/AICPA research report, CA is “a methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter.” A CA relies heavily on information technology. While the CA concept is over a decade old, rapid advancements in technology have now made continuous auditing more feasible. Examples of this technology include broad bandwidth, web application server technology, web scripting solutions, and ubiquitous database management systems with standard connectivity.
A CA leverages technology and opens database architecture to enable auditors to monitor a company’s systems over the Internet using sensors and digital agents. Any discrepancies between the records and the rules defined in the digital agents are transmitted via e-mail to the client and the auditor. At that point the auditor can determine the appropriate action to take. For example, a digital agent performing analytical procedures on the accounts would e-mail the auditor an exception report on those accounts that fluctuate outside the parameters defined in the digital agent. Once an account trigger has occurred, the digital agent moves to the transactional level to identify the problem and e-mail the auditor. Once the transaction is identified, a digital agent would verify the sale with the customer and e-mail the confirmation to the auditor.
All of the audit routines described above are done electronically and automatically. The audit routines are performed not only at year-end but quarterly, monthly, daily, or in real time. The only constraints are the performance limitations of the client’s system and the update frequency of the client’s records. If a company updates its system on a daily basis, then the digital agents will be limited to daily execution. Also, a balance between system performance and relevancy must be achieved. Attempting to perform multiple audit routines in real time on very high volumes of daily transactions could possibly impede the execution of business. As technologies continue to be developed that are faster and smarter, this will be less of a concern.
Within the CA domain, investors could access a company’s information in the form of a website that publishes continuously audited financial information on demand. The website would present the audit report as of that point in time. The Exhibit shows the digital interactions between investor, auditor, and client.
There are two primary levels of assurances provided in the CA report, as seen in the Sidebar. A third assurance level exists when the audit firm is providing assurance on a specific analysis (e.g., compliance with debt covenants). If there are no exceptions generated at any of the assurance levels, an unqualified opinion is published. Sample CA reports can be viewed at acctnt.bus.utk.edu/ld/default2.cfm. The CA report is time-stamped based on when it is accessed. A level 1 assurance violation prevents the financial statements from being accessible to the investor. If either the reliability or the security of the client’s system is in jeopardy, the financial statements produced from that system should not be relied upon to make informed decisions.
When Will the Service Be Offered?
CPA firms that currently provide auditing services may eventually have to move toward some form of continuous auditing to compete. This is especially true for firms auditing public companies.
In the aftermath of the Enron hearings and investigations, the government may be the one to require more rapid reporting. An Associated Press story from March 2002 reported that the White House has proposed that investors be given quarterly access “in plain English” to corporate information needed to judge a company’s financial performance and risks. More frequent reporting should reduce uncertainty and enhance investors’ perceptions of a company. The more frequent audit will ensure the integrity of the data.
While some form of CA services may be required in the future for public companies, firms that audit private companies can also benefit. CPA firms must continuously seek more efficient methods of conducting audits that allow their scarce resources to be utilized in the most cost-effective manner.
Seven Types of Audit Wastes
Implementing CAs can facilitate the elimination of audit wastes possible
in the current audit domain. In general, there are seven types of wastes that
Overauditing. this occurs when firms perform audit procedures over and beyong those necssary. Any audit procedures performed other than those required based on the audit risk and materiality assessment can be considered waste that only adds time and costs to the audit.
Waiting. It is not uncommon for an auditor to have to wait for the data needed to complete the task. Once the necessary data is received, the auditor may not be in a position to immediately resume work. Waiting is caused by data and manpower shortages.
Time delays. Inherent in the first two types of traditional audit wastes are time delays. The time requirements of a traditional audit are significant. It is not uncommon for a significant delay to exist between the end of the reporting period and the issuance of the audit report to investors and creditors.
The audit process. The fourth traditional auditing waste is due to inefficiencies in the audit process itself. From the planning stage through the issuance of the audited financial statements, it is not difficult to identify several potential areas of waste. Some of the causes of waste in the audit process are inexperienced staff, inadequate data, and redundant audit steps.
Work-in-process. The audit process is not a smooth, continuous process from start to finish. Instead, there are many stops and restarts that add cost without value. An audit is a work-in-process from the time the planning stage begins until the issuance of the audited financial statements.
Review process. The review process is basically a quality-control measure. It consists of multiple levels of audit manager and partner sign-offs. Continuous auditing procedures can automate and shorten the review process.
Errors and mistakes. Even with the review process in place, errors and mistakes occur during an audit. The stage at which the errors or mistakes are discovered determines the amount of extra work required to correct them. Quality control is necessary to produce a defect-free product, but it does not add value. The review process is done because the audit firm cannot be assured that the staff assigned to the audit performed their duties flawlessly.
By leveraging technology, a CA allows audit firms to conduct an audit continuously and without wasting resources, since most of the audit is automated. In addition, CAs allow firms to produce audited financial statements immediately as demanded by interested parties. CAs will require initial increases in investments for technology and different skill sets for auditors. CAs should provide CPA firms the opportunity to reduce their overall audit staff in the long run. This allows the firms to redeploy their audit staff and resources to other services, while maintaining high levels of reliability and quality. The analogy can be made to manufacturing companies, which moved from traditional manufacturing practices to lean manufacturing in the 1990s. The overall result was a more efficient and effective company, poised for growth.
Hurdles to Implementing Continuous Auditing
While the motivating factors for offering CAs may be high, there are several hurdles that must be overcome. Two of the biggest hurdles, aside from the technical ones, are the client’s buy-in and staff training. While clients are always eager to reduce audit hours, most are accustomed to the annual audit and all it entails. CPA firms must be ready for the time when more companies realize the financial incentives for moving to the CA. In addition, CAs will require that CPA firms have direct access to information systems. Companies are already uneasy about the level of access that audit firms have now, so allowing direct access will require very high levels of trust and commitment.
Focused training in the CA approach will be necessary, along with increased training in information systems. The toolset of the new auditor should include various aspects of information and web technology in order to design and maintain the process for continuous auditing. The training should begin at the collegiate level. Audit courses should begin addressing the continuous auditing domain.
The challenges to implementing CA services are worth the benefits: a shorter audit cycle, increased flexibility, customizable reports to clients and third parties, and reduced audit-related costs. CPA firms moving to a CA environment can create competitive advantages and devote resources to other services. The move to CA is not without its hurdles and will require a new way of thinking about auditing.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
Visit the new cpajournal.com.