Peter Millar (of ACL Services) is leading a small team (Brad Ames of HP and myself) in a project to update the Global Technology Audit Guide (GTAG) on Continuous Auditing. This is a routine update, such as we go through for all IIA guidance, but it provides the opportunity to upgrade the current guidance.
I have been writing a fair amount about continuous auditing, including a paper and several blog posts. They may stimulate your thinking on this topic.
I would appreciate some feedback on the following questions regarding the GTAG update:
The traditional GTAG is written for the chief audit executive and focuses on the use of technology. It is filed under the Professional Guidance/Information Technology section of The IIA's website rather than the Standards and Guidance section. But continuous auditing is a way of performing the business of auditing rather than just making use of technology. For example, some controls cannot be tested using software alone (consider a manager's review of a reconciliation, or the performance of a physical count of inventory), so other forms of testing are needed, including management self-assessment, manual tests, and surveys. Should the continuous auditing guidance be for all auditors and cover both automated and non-automated procedures rather than focus on technology? Should we have two forms of guidance, one that is for a general audience and one that focuses only on the use of technology?
I am very much a believer in risk-based auditing, and that the continuous auditing program should be designed to provide assurance on the more significant risks. Do you agree?
There are differences between the continuous assessment and testing of controls, and the continuous monitoring or inspection of controls (see my blog post on this topic). Is this important and should it be discussed in detail in the guidance?
COSO's Internal Control–Integrated Framework describes internal auditing as a monitoring control. Should the guidance address whether management should be permitted to rely on internal auditing to monitor controls, or should it assert that monitoring controls is a management responsibility?
Continuous auditing and continuous monitoring (by management) are similar in many ways, but different in others. How important is this, and should there be a discussion in the guidance on internal auditing's role in helping management design and implement monitoring? For example, is it a reasonable expectation that internal auditing could establish continuous procedures and then hand them over to management?
Do you have other concerns with the current GTAG, or issues you would like to see addressed?
Please share your comments here.