For some years continuous auditing and monitoring has been the subject of number of articles and white papers mainly from academia, consulting and accounting firms. Deloitte, PwC and KPMG have for example published excellent whitepapers on continuous auditing and monitoring.
However, looking at other sources and reading debates about continuous monitoring technology, there seem to be various definitions of what continuous monitoring and auditing are and how they can be used. Sometimes they are even used interchangeably as if they are the same thing.
Continuous monitoring is a management tool. It is uses information technology to – in real time – review functional or business process performance and effectiveness to ultimately improve decision-making. It is based on governance and risk assessment processes and enables managers to detect deviations from targets, errors and risks sooner than would be possible with manual control procedures. Continuous monitoring can be applied at the transaction level to e.g. monitor data transactions and at a process level to e.g. monitor delivery processes and production processes.
Continuous auditing is a tool for internal auditors mainly and to some extent external auditors to continually gather audit evidence to support auditing objectives and activities. This means collecting data on processes, transactions and accounts to establish compliance with regulation, procedures and policies. The aim is ultimately to minimize the cost of control and compliance as well as increase the effectiveness of audit activities compared to audit objectives. There are several different types of CA technologies such as embedded audit modules, ghosting and monitoring control layer that also can be utilized by external auditors.
Currently there are different CM and CA technologies on the market either as part of popular ERP systems or as stand-alone solutions. ERP market leaders such as SAP and Oracle are integrating monitoring and auditing technologies in their solutions and stand-alone solutions from ACL, CaseWare and Expectus can be integrated in a variety of solutions and industry settings.
The CA and CM technologies are fast becoming more sophisticated, the integration easier and the interfaces more user friendly. This will mean more diffusion of CM and CA approaches to e.g. small and medium sized companies and NGOs. It will also mean that real time control will become even more prominent than it is now. It also means that external auditors might have to re-think parts of their business models and the actual business value of auditing hours sold.