Internal Audit

Continuous Auditing and Monitoring: The Future of Internal Audit

Continuous auditing and monitoring represents the evolution of internal audit from periodic, sample-based review to automated, population-wide, real-time assurance. This page covers the tools, techniques, and implementation approach for continuous auditing using data analytics — including ACL Analytics and IDEA.

"Sampling tells you what might be wrong. Continuous monitoring tells you what is wrong — in real time, across the entire population."
Continuous auditing and monitoring (CA/CM) is the use of automated procedures and data analytics to provide real-time or near-real-time assurance on controls and transactions — as opposed to periodic, point-in-time audit engagements. The IIA has endorsed continuous auditing as a fundamental evolution of the internal audit profession, and leading internal audit functions globally are integrating data analytics as a core competency alongside traditional audit skills.

Continuous Auditing vs. Continuous Monitoring

Continuous AuditingContinuous Monitoring
Who performs itInternal auditManagement / first and second line
PurposeOngoing, automated assurance testing by auditManagement oversight of control effectiveness
OutputsException reports, automated findingsKRI dashboards, control status reports
FrequencyDaily, weekly, monthly — based on riskReal-time or daily
IndependenceIndependent of operationsOperated by management

Data Analytics Tools — ACL and IDEA

ACL Analytics (Now Galvanize HighBond)

ACL is one of the most widely used audit data analytics platforms globally. It allows auditors to import large datasets from any source, apply statistical and logical tests, and generate exception reports identifying transactions that warrant investigation.

  • Benford's Law analysis on entire transaction populations
  • Duplicate payment detection across accounts payable
  • Stratification and outlier analysis on journal entries
  • Vendor master file comparisons against employee data
  • Gap testing for missing document numbers in sequential series

IDEA (Interactive Data Extraction and Analysis)

IDEA provides similar capabilities to ACL with particular strength in financial data analysis and report generation. Both tools can import data from virtually any ERP system, including SAP, Oracle, Microsoft Dynamics, and Sage.

Key Continuous Monitoring Tests

TestWhat It DetectsFrequency
Duplicate bank account: vendor vs employee masterGhost vendors; insider vendor fraudMonthly
Transactions just below approval thresholdsDeliberate circumvention of controlsMonthly
Duplicate invoices (amount, date, vendor)Double payment schemesMonthly
Round-number transactions above thresholdFictitious transactions; estimate-based fraudMonthly
Payroll headcount vs HR headcountGhost employeesQuarterly
After-hours system access on financial modulesUnauthorized record manipulationWeekly
Journal entries posted by non-accountantsUnauthorized financial record modificationMonthly

Implementing a Continuous Audit Programme

  1. Define objectives: Which risks will continuous monitoring address? What exception conditions should trigger follow-up?
  2. Identify data sources: Which systems hold the relevant data? What extract format is available? How often can it be accessed?
  3. Design the tests: Build the specific queries, scripts, or automated procedures that will run against each data source
  4. Establish thresholds: Define what constitutes an exception requiring investigation vs. a normal variance
  5. Build the exception management process: Who reviews exceptions? By when? What is the escalation path?
  6. Report to the Audit Committee: Continuous monitoring results should form part of the regular audit committee reporting cycle

Key Takeaway

Continuous auditing and monitoring is not a technology project — it is an audit transformation. Organizations that invest in data analytics capability and continuous monitoring shift their internal audit function from a periodic comfort mechanism to a real-time governance tool. The result is faster fraud detection, more comprehensive control coverage, and a fundamentally stronger assurance proposition to the board and audit committee.

Read: Internal Audit Fundamentals →