QFinance recently published an article of mine on Continuous Auditing: Putting Theory into Practice. When I shared this news, a couple of people commented that internal audit should not be doing this kind of work, because it is a detective control, management's responsibility, and management may rely on it instead of taking ownership themselves. (I should point out that they reacted to the idea of continuous auditing, without reading the article.)
This observation made me think, and I want to share my reflections and hear what you have to say:
- The role of internal audit is to provide assurance to the board and top management that governance, risk, and control processes provide reasonable assurance that risks are at acceptable levels.
- We should be providing that assurance when it is needed, which in many cases is more frequently than annual.
- It is not internal audit's role to test every transaction and verify that it was handled properly (and function as a detective control). We should be focusing on the adequacy of processes and controls.
- Confirming that transactions are correct does not provide assurance that the controls are in place and effective.
- Many of the vendors and consultants who advocate continuous auditing (and even some practitioners) are testing transactions and not controls — and I don't believe we should be doing that, except as a service to management with express approval from the board.
- Continuous auditing is not limited to the use of technology, and you don't need technology to do it — it just makes it easier.
If our work looks like a detective control, we shouldn't be doing it (absent approval by the board).
If it leads to us being able to provide assurance that the controls are in place and working (because we are testing controls not just transactions), then congratulations!
What do you think?