Organizations face a challenge on the emerging technology-enabled businesses to prevent fraud and mitigate risks. Information technology (IT) advancements also provided the possibility of ongoing risk assessment and ongoing control assessment on the growing data volume in the digital age. Although organizations perceive the benefits of continuous auditing (CA) and continuous monitoring (CM), its adoption is low. Some barriers limit CA and CM adoption along with common challenges that organizations must face during implementation. This chapter provides a systematic literature review to promote CA and CM by presenting the main challenges in implementations and general guidance to overcome the identified challenges.
TopIntroduction
Currently, organizations are completely dependent on information technology (IT) and information systems (IS) to deliver value to their customers and reach higher performance levels (Jacobson, 2009). Moreover, organizations are now facing times of digital revolution. Throughout the last two decades, IT/IS evolved at an exponential rate leading to a digital transformation in several industries and businesses (Bharati et al., 2009; Law & Ngai, 2005). Such digital transformation era seems to be a reality that organizations must embrace. However, organizations must also be aware of the outcoming risks and properly control them.
When technology develops faster than regulations, there is a higher risk of scandals and fraud which may lead to financial and reputational losses. Significant corporate and accounting scandals led to the implementation specific regulations such as Sarbanes-Oxley (SOX) act in 2002. To comply with such regulations’ requirements organizations implemented internal controls to mitigate risks and consequently reducing fraud. In 2011 the Association of Certified Fraud Examiners (ACFE) estimated that organizations lose 5% of their revenues to fraud (Association of Certified Fraud Examiners, 2018). Even facing numerous compliance obligations (Protiviti, 2013) organizations fraud is increasing(KPMG, 2013).
We are facing times where IT/IS are being used by organizations to help them collect more and more information to support decision making (Power, Sharda, & Burstein, 2015). However, decision making has an associated risk, and as the volume of information grows, the ability to deal with it decreases (KPMG, 2013). A study conducted by PwC demonstrated that its respondents expected internal audit to be a trusted advisor (PwC, 2014). Internal audit reliance is increasing yet their budgets are decreasing (Protiviti, 2012; PwC, 2012). To do more with less, internal audit urges to increase its productivity.
Nowadays, organizational IS are capable of processing and logging huge amounts of transactions, however, manually finding wrong actions among these is costly and wouldn’t guarantee the needed assurance additionally data generation is growing at an exponential rate (Singh, Best, Bojilov, & Blunt, 2014). This increases the chances of not noticing a problem within time of corrective action.
IT advancements also provided the possibility of new auditing and internal control approaches. Continuous Auditing (CA) and Continuous Monitoring (CM) provide the ability to verify 100% of the data based on a determined ruleset, shorten audit cycles while providing near real-time alerts on unexpected situations allowing faster responses to unusual situations to prevent or mitigate impacts. It is believed that only 0.5% of the world’s generated data is analyzed and thus, there is plentiful of potential insights given by the remaining data (Gantz & Reinsel, 2012).
Continuous assurance, CA and CM are three commonly used terms to describe this thematic. Most authors define frontiers between these related terms(M. G. Alles, Kogan, & Vasarhelyi, 2008; David Coderre, 2015; Deloitte, 2010; Gonzalez, Sharma, & Galletta, 2012; M. A. Vasarhelyi, Alles, Kuenkaikaew, & Littley, 2012; M. Vasarhelyi, Vasarhelyi, Alles, & Kogan, 2004). Others state that there is no difference between CA and CM except who is responsible for each part (Marks, 2009).