Continuous Auditing vs. Continuous Monitoring
| Continuous Auditing | Continuous Monitoring | |
|---|---|---|
| Who performs it | Internal audit | Management / first and second line |
| Purpose | Ongoing, automated assurance testing by audit | Management oversight of control effectiveness |
| Outputs | Exception reports, automated findings | KRI dashboards, control status reports |
| Frequency | Daily, weekly, monthly — based on risk | Real-time or daily |
| Independence | Independent of operations | Operated by management |
Data Analytics Tools — ACL and IDEA
ACL Analytics (Now Galvanize HighBond)
ACL is one of the most widely used audit data analytics platforms globally. It allows auditors to import large datasets from any source, apply statistical and logical tests, and generate exception reports identifying transactions that warrant investigation.
- Benford's Law analysis on entire transaction populations
- Duplicate payment detection across accounts payable
- Stratification and outlier analysis on journal entries
- Vendor master file comparisons against employee data
- Gap testing for missing document numbers in sequential series
IDEA (Interactive Data Extraction and Analysis)
IDEA provides similar capabilities to ACL with particular strength in financial data analysis and report generation. Both tools can import data from virtually any ERP system, including SAP, Oracle, Microsoft Dynamics, and Sage.
Key Continuous Monitoring Tests
| Test | What It Detects | Frequency |
|---|---|---|
| Duplicate bank account: vendor vs employee master | Ghost vendors; insider vendor fraud | Monthly |
| Transactions just below approval thresholds | Deliberate circumvention of controls | Monthly |
| Duplicate invoices (amount, date, vendor) | Double payment schemes | Monthly |
| Round-number transactions above threshold | Fictitious transactions; estimate-based fraud | Monthly |
| Payroll headcount vs HR headcount | Ghost employees | Quarterly |
| After-hours system access on financial modules | Unauthorized record manipulation | Weekly |
| Journal entries posted by non-accountants | Unauthorized financial record modification | Monthly |
Implementing a Continuous Audit Programme
- Define objectives: Which risks will continuous monitoring address? What exception conditions should trigger follow-up?
- Identify data sources: Which systems hold the relevant data? What extract format is available? How often can it be accessed?
- Design the tests: Build the specific queries, scripts, or automated procedures that will run against each data source
- Establish thresholds: Define what constitutes an exception requiring investigation vs. a normal variance
- Build the exception management process: Who reviews exceptions? By when? What is the escalation path?
- Report to the Audit Committee: Continuous monitoring results should form part of the regular audit committee reporting cycle
Key Takeaway
Continuous auditing and monitoring is not a technology project — it is an audit transformation. Organizations that invest in data analytics capability and continuous monitoring shift their internal audit function from a periodic comfort mechanism to a real-time governance tool. The result is faster fraud detection, more comprehensive control coverage, and a fundamentally stronger assurance proposition to the board and audit committee.
Read: Internal Audit Fundamentals →