Have you heard about the continuous audit?
It’s a hot topic in the accounting and internal audit space right now and has great potential to impact third-party assurance audits like HITRUST and SOC.
For example, the HITRUST CSF Certification roadmap includes options for leveraging continuous monitoring and assessment to reduce the frequency of performing a comprehensive validated assessment.
But what is a continuous audit? How do you implement it? And how do you select a technology tool to help you?
What is continuous auditing?
An idea that’s slowly becoming a reality, continuous auditing would take much of the burden off organizations that go through one or more yearly audits.
A continuous audit involves the continual monitoring of systems and collecting of data and evidence that is typically required in an assurance audit, spreading all that time and workload throughout the year. With more frequent check-ins with an assessor to provide evidence that internal controls are in place, mature and functioning properly, a continuous audit may allow an organization to forego undergoing a traditional assurance audit for a number of years.
What are the benefits of continuous auditing?
As mentioned, continuous auditing spreads the audit load throughout the year. Plus, the more frequent monitoring of critical controls it requires is itself a benefit — helping prevent any breakdown of controls during the year that wouldn’t have otherwise been detected until the annual audit. It further enables:
- The timely collection of audit evidence, and with less rush and effort.
- Better analysis of the strength of your controls through more frequent measurement and trending.
- Better alignment with the pace of change in highly dynamic environments. (Point-in-time assurance audits become outdated fairly quickly in dynamic environments like a technology startup.)
- The use of automated compliance monitoring tools that can help save time and resources in evidence collection.
- The use of tools to help automate the collection of evidence and data, to perform trending and to provide insights.
What to consider in implementing continuous auditing
If you’re interested in the benefits of continuous auditing and implementing it, the most important thing you can do is talk to your auditor — and get them involved early. They are obviously so integral to the audit process that their perspective here is essential. And if you don’t get them involved early, you risk them pushing back because they don’t understand the new process and how they can ensure the data you’re giving them is accurate and complete.
Your auditor is going to be making the transition along with you, so by involving them early, you can rely on their audit expertise to answer questions and help guide you (in a way that still maintains their independence). They can help you identify how you can transition to a continuous audit, if it’s feasible for your organization, what any technology tools you use need to be collecting and how they go about it, and more.
The next thing on your list should be identifying controls that can be easily measured in a continuous audit approach. Work with your auditor to identify when certain pieces of evidence can be collected and how often. Then identify tools that can support the process.
Using audit tools can significantly reduce the burden of evidence collection. Organizations that are subject to many audits throughout the year will see a better ROI when implementing continuous audit tools. Look into tools you can leverage for your specific audit situation and needs.
Lastly, start with a narrow focus and build on it over time. Implementing a continuous audit is a big transition and starting small will allow you to keep building capabilities over time, overall tackling it thoroughly.
Things to look for in a continuous audit tool
When looking at your options for an automated audit collection tool, there are several things to consider:
- Does it cover your technical environment (e.g., Azure, Google Cloud, on-premises servers)? Can it connect to it and pull data from it?
- Does it cover related technologies (e.g., endpoint protection, mobile device management, firewalls, vulnerability scanners, ticketing systems, audit logging and monitoring)? Does it cover non-technical areas, such as security awareness training solutions?
- How easy is it to configure to your compliance standards (e.g., HIPAA, HITRUST, ISO 27001/02)?
- What is the quality of the reporting? Some tools won’t satisfy what an auditor needs to understand the source of the information, such as dates and time stamps on when the data was pulled.
- How much set up will the tool require to tailor to your audit needs? What overhead is associated with the tools? What does the ongoing management of the tool entail?
Lastly, determine how confident you are that the information the tool is gathering is complete. Tools are supposed to save time and effort and make you more efficient. They’re not supposed to make your life harder.
If you want to learn more about continuous auditing and how to implement a continuous audit, contact Wipfli.
We are experienced independent auditors and have been keeping up with continuous auditing — both what’s being published by organizations like AICPA and HITRUST and what tools on the market could help automate and enable continuous auditing. We can advise on the strengths and quality of the tools unique to your situation.
We can also help you with your continuous auditing approach and methodology. Reach out to learn more. Or keep reading on in these related articles:
HITRUST vs SOC 2: Leveraging the best path to assurance
The path to HITRUST certification: Five reasons to start now