Striving for constant improvement has always been a decisive mission for those companies that wish to remain successful. Achieving improvements is not an easy task and requires a multitude of actions. Evaluating one’s own business activities is certainly one of these actions (Gervais, Lemarchand, Margairaz, Rudy-Gervais, 2016). Responsibility for the regular evaluation of per-formance rests with the management of a company. However, the implementation of this activ-ity can be passed on to other functions such as management accounting, controlling, in-house consulting, data analytic, or internal audit departments (Peemöller, Kregel, 2014, pp. 1-2).
Over the past few decades, the internal audit function has risen markedly in importance (Am-ling, Bantleon, 2007, pp. 81-83). It has developed to become a reliable partner of management and supervisory boards when it comes to evaluating company measures to ensure effectiveness and efficiency of structures and processes, compliance with laws and regulations, prevention and detection of fraud, safeguarding of assets, and other corporate dealings (Institute of Internal Auditors, 2012). Thus, many companies hold internal audit departments or receive internal au-dit services from external parties (e.g. from consulting companies). The popularity of internal audit departments arises not only out of self-interest, but is also backed by legislature that re-quires companies of specific industries (e.g. banking, insurance) to have internal audit depart-ments in place (Amling, Bantleon, 2007, pp. 81-150).
In times of rapid change, companies need to constantly adjust to changes in their internal and external environments (Senior, Fleming, 2009, pp. 3-40). As part of this, the internal audit func-tion plays an important role by assisting those corporate entities which identify and meet these changes. Furthermore, the internal audit department itself needs to undergo regular adjustments, so it can fulfil its duties and satisfy its own stakeholders’ needs. On a regular basis, internal audit departments need to find new ways to reach results faster or with less effort. Financial and personnel resources are scarce and thus need to be used efficiently. Moreover, the internal
audit function needs to advance its auditing techniques, make effective use of technology, and react to the latest auditing trends. In many cases, the internal audit function needs to reinterpret its own role and shift from its traditional, finance-oriented investigation role to a more progres-sive, company-wide consulting role. Also, data has grown in extent and variety and requires the auditor to find new auditing methodologies (Peemöller, Kregel, 2014, pp. 97-108).
Since 2002 there has been an ongoing debate about the role of internal auditors. Corporate scandals over companies as Enron, Parmalat, and WorldCom have shifted public interest to-wards auditors and their responsibility in preventing fraud and misstatement of financial state-ments. The recent scandal of Wirecard has revived this debate and has increased pressure on regulating bodies to strengthen the independence of internal auditors and to hand them more responsibility (Der Bank Blog, 2010).
The academic world has come up with several new approaches to ease the internal auditors’
struggle in accounting for the requirements arising out of these developments. One such concept is Continuous Auditing (CA).
CA was first introduced by Groomer and Murthy (1989, pp. 53-69) as well as by Vasarhelyi and Halper (1991, pp. 110-125). According to the American Institute of Certified Public Ac-countants (AICPA) and the Canadian Institute of Chartered AcAc-countants (CICA) (1999), CA is
“a methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short time after, the occurrence of events underlying the subject matter”. More practically speaking, it is a risk-oriented, systematic auditing methodology, assisted by the usage of IT tools, covering the on-going, or at least highly frequent analysis of different kinds of data by identifying deviations to previously defined target levels simultaneously or shortly after the occurrence of an event (Wagner, Lieder, 2016).
According to Vasarhelyi (2011, pp. 23-29), CA holds several subdisciplines, based on the sub-ject the audit activity focuses on (i.e. Continuous Controls Monitoring, Continuous Risk Man-agement and Assessment, as well as Continuous Data Assurance). Also, CA is often mentioned in close connection to similar disciplines such as Continuous Monitoring and, in parts, to Con-tinuous Assurance (Vasarhelyi, Romero, Kuenkaikaew, Littley, 2012, pp. 31-35).
CA is brought to life via processual approaches. Most approaches discussed in theory cover multiple stages and/or align themselves to the four stages of the Plan-Do-Act-Check cycle (e.g.
Institute of Internal Auditors, 2005, p. 17; Du, Roohani, 2007, pp. 133-146; Yeh, Shen, 2010, pp. 2554-2570). Although most definitions of CA do not require the use of technology, software solutions have eased auditors’ efforts during the implementation of CA in practice (Flowerday, Blundell, von Solms, 2006, pp. 325-331). Several software architecture designs are discussed in theory and applied in practice, most of which can be reduced down to the two architecture designs: Embedded Audit Modules and Monitoring Control Layer. In this context, several pro-gramming languages (e.g. Extensible Business Reporting Language, Unified Modelling Lan-guage) have gained in popularity and are increasingly being used for CA solutions (Lin, Lin, Liang, 2010, pp. 415-422).
Academics have found a range of advantages that the application of CA provides. Among oth-ers, CA increases efficiency and effectiveness of the audit process by reducing audit costs and enhancing overall audit quality (Grasegger, Weins, 2012, pp. 231-238; Marks, 2009, p. 51). It helps companies to comply with law and regulations (Woodroof, Searcy, 2001, pp. 169-191).
It allows handling large volumes of data and thereby enables auditors to approach subjects pre-viously not auditable (Chan, Vasarhelyi, 2011, pp. 152-160). Due to its strict processual ap-proach, it also strengthens auditors’ independence and helps to clarify auditors’ responsibilities (Institute of Internal Auditors, 2005, p. 5).
Before CA can function properly, barriers previously identified by academics need to be over-come. Diverse and heterogeneous data can make it difficult to apply CA as data needs to be standardised in many cases (Li, Li, 2007). Also, IT and training investments will be necessary to implement CA (Baksa, Turoff, 2010). As CA represents a methodology significantly differ-ent from traditional auditing, disruptions in daily operations of internal audit departmdiffer-ents can occur (Hoffer, 2007, pp. 1-19). Furthermore, the rigid procedures that are required by CA in-terfere with the need for flexibility in daily auditing operations (Sun, 2012, pp. 59-85).
Vasarhelyi, Alles, Kuenkaikaew, and Littley (2012, pp. 267-281) see CA as the ultimate stage of internal auditing. Their underlying assumption is that the internal audit function of a com-pany matures over time and becomes more and more sophisticated in its structures and pro-cesses. Specifically, they assume that internal audit functions pass through several stages (i.e.
‘1-traditional’, ‘2-emerging’, ‘3-maturing’, ‘4-fully continuous’), starting at a level with unco-ordinated audit activities and ending at a level with strictly structured, automated audit activi-ties.