The Idea of Continuous Assurance

Key Takeaways

• Continuous Assurance Over Continuous Auditing: True continuous assurance is about providing ongoing confidence to boards and management that systems, processes, and people are reliable, not about auditing every transaction all the time.
• Focus on Future Risks, Not Past Errors: Assurance should emphasize forward-looking evaluations of control effectiveness over key enterprise risks rather than reactive reviews of past transactions.
• Technology as an Enabler, Not the Goal: While data analytics and automation can enhance auditing, continuous assurance depends on proactive engagement, judgment, and collaboration.
• Management’s Role in Monitoring: Continuous transaction testing is a management responsibility; internal audit should support but not replace it, maintaining independence and oversight.

Deep Dive

In this article, Norman Marks dives into the evolving concept of continuous assurance, challenging traditional notions of continuous auditing and urging internal auditors to focus less on reviewing the past and more on providing real-time confidence in the future. Drawing on his own experiences as a former Chief Audit Executive and early adopter of continuous auditing techniques, Marks explores how true assurance comes from understanding risk as it changes, engaging with management regularly, and providing insight that helps organizations anticipate, not just detect, issues.

Evolving Assurance for a Real-Time World

Many years ago when I was the CAE at Tosco Corporation, I got a personal invitation to join a Continuous Auditing Symposium led by Professor Miklos Vasarhelyi at Rutgers University. I remember talking to Miklos and hearing that he had been holding the event for many years. It was more a small group discussion than a major conference, as he had been unable to persuade that many people to attend. Very few were practicing any form of continuous auditing.

Although I was very interested in the idea of continuous auditing or assurance, I couldn’t justify my time or the travel expense to attend when, as he admitted, the idea of continuous auditing or assurance hadn’t taken off. I found out later that there were less than a dozen people in attendance.

I was already practicing several continuous auditing/assurance techniques, and he wanted me to share those ideas at the conference. They included:

• Attending the monthly and quarterly meetings the CFO held to review and discuss the period’s financial results, and whether there were any accounting or financial reporting issues.
• Either I or one of my direct reports attended the monthly executive team meetings each business unit CEO held.
• Regular one-on-one meetings with the corporate CFO, business unit CFOs, CIO, General Counsel, and other top executives.
• Reviewing the monthly financial and operational reports and discussing them with management.
• More frequent audits (quarterly for the eighteen months of its operation, annually after that) of the derivatives trading and accounting functions.
• Later, we added software that monitored revenue recognition fraud risk areas every quarter.

I believe that my job was to provide leaders on the board and in top management with continuous assurance that they could rely on their people, systems, processes, and organization.

That doesn’t mean that we are continuously (i.e., all the time) auditing transactions or management’s processes and controls. (Remember that auditing transactions doesn’t provide assurance of the existence let alone the effectiveness of controls.)

It means:

• As best we could always knowing what the more significant enterprise risks are, whether through reliance on management’s risk processes or through our own risk monitoring.
• Having continuous insight into changes in those sources of risk.
• Auditing the risks that matter, when they matter. That means paying attention to some areas (like derivatives trading) almost all the time, and other areas (like employee recruiting) far less often.
• Focusing on the controls that provide continuing future assurance rather than auditing and providing an opinion on past transactions.

I was pleased with the first issue of the IIA’s Global Technology Guide (GTAG), Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment in 2005. It was developed by individuals that I knew and respected: David Coderre and John Verver (and Donald Warren, who I did not know but who worked with Miklos at Rutgers).

Its most important sentence is on the very first page, "Continuous auditing is a method used to perform control and risk assessments automatically on a more frequent basis."

Note that “continuous” becomes “more frequent”.

However, I don’t agree with this from the next paragraph, "Continuous auditing changes the audit paradigm from periodic reviews of a sample of transactions to ongoing audit testing of 100 percent of transactions."

This is auditing the past, even if it is more thorough. It’s “bayoneting the wounded” for past mistakes rather than ensuring the controls will be effective going forward. It is not proactive or forward-looking, as we stated in the IIA’s Core Principles for Internal Auditing. It’s also testing the data rather than the controls.

This is excellent, and it is also consistent with the COSO Internal Controls Framework, "Continuous monitoring encompasses the processes that management puts in place to ensure that the policies, procedures, and business processes are operating effectively."

Later, the GTAG says, "Ideally, internal auditing is not part of the controls monitoring process and does not design or maintain the controls, thereby retaining its independence."

But continuously auditing 100% of transactions is a detective control, a monitoring control that management should be performing. Why should internal audit do management’s job? If it needs to be done, get them (even help them) to implement and perform continuous transaction monitoring.

The exception is where internal audit has an overriding need (such as where there is a risk of management fraud) to monitor the data themselves.

The GTAG was updated and renamed in 2015 and again earlier this year. The third edition repeats the part that I disagree with, "Continuous auditing leverages technology to provide ongoing assessments of risks and controls, enabling internal audit functions to offer continuous assurance to the board and senior management."

While technology can be an enabler, limiting continuous auditing to the use of technology is a mistake.

A more egregious mistake is in the Introduction to the 2025 edition of the GTAG, "The internal audit function’s typical approach to evaluating the effectiveness of risk management and control processes is often retrospective, with controls tested on a cyclical basis, perhaps months after business activities have occurred."

Are people still taking a cyclical approach to auditing? Of course, we need an (enterprise) risk-based approach.

A little further on, the GTAG says, "Continuous auditing also includes analyzing data sources that can reveal anomalies in business systems, such as security levels, incident logging, unstructured data (data that is not restricted to a fixed field in a spreadsheet or database), and changes to IT configurations, application controls, and segregation-of-duty controls."

In other words, audit the past. More often than not we need to audit the past to know whether the controls will be effective in the future. We may well use technology to do that!

Any audit can use technology! Even an audit you won’t repeat for several years!

On a personal note, as an IT auditor with Coopers & Lybrand more than 40 years ago I was writing and using COBOL programs to test 100% of the transactions at a major insurance company and at the Post Office.

So… Let’s do this:

• Understand that we need to provide proactive and forward-looking assurance on the effectiveness of the controls over the more significant risks to the enterprise.
• Perform audits and other activities (such as attending review meetings) at a frequency that makes sense given the level of risk to enterprise objectives.
• Endeavor to be always able to provide an opinion to the board and management on the adequacy of internal controls over the more significant risks. That’s continuous assurance.
• Don’t limit ourselves to the use of technology for more continuous auditing. There are other techniques we should all be using. Use technology wherever and whenever it makes sense—recognizing that advances in technology are making it easier and more economical to use.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.