Continuous auditing (CA) was introduced decades ago to enhance the quality of assurance by continuously and automatically analyzing data running through a corporate system based on rules defined by internal auditors. As CA is designed to provide more feedback on deviations and more timely feedback compared to traditional auditing, it is expected to enhance monitoring. Consistent with these arguments, prior research (e.g., Eulerich, Georgie, and Schmidt; Eulerich, Lopez Kasper, and Sofla) has shown that CA reduces risk exposure and improves internal controls. Despite these benefits, the adoption of CA in practice is relatively low (German IIA; Polizzi and Scannella). The German Institute of Internal Auditors (IIA) shows that roughly 30% of the internal audit functions in Europe use CA, and half of the internal audit functions have no intention to implement CA. If the research findings are so strong, why is the move to continuous auditing so slow? In our study, we examine two factors to explain why this may be the case: the time it takes to observe the benefits of implementing CA and the risks most and least likely to improve from CA.
For the study, we use a field-study setting and analyze key risk indicators from the CA system of a multinational company that is among the largest food retailers in the world. The company implemented the CA system in 2015 and provided us with data on key risk indicators analyzed by the CA system between 2015 and 2020. Key risk indicators estimate the likelihood and severity of risks and act as a warning system for upcoming events. Internal auditors use key risk indicators to monitor risks, inform stakeholders (e.g., board members and management) about problems, and identify areas requiring additional testing. Examples of key risk indicators analyzed by the case company’s CA system include the number of invoices paid twice, the number of creditors with unrealistic payment terms, or the number of invoices with implausible or missing tax codes. We explore our research questions by examining the effect of the number of years for which the CA system analyzed the risks on twenty key risk indicators.
Findings
Our findings suggest that it takes an average of three years to observe a significant improvement in risk after adopting CA (see Figure 1). The overall risk level remained relatively consistent in the initial two years of CA usage. However, we observe a statistically significant decrease in the third year of CA usage, which continues until the fifth year and is followed by a statistically insignificant increase in the sixth year. Our empirical analyses support these findings.
Figure 1 illustrates an improvement in the overall risk level through the length of CA usage. Overall, the KRI score is the mean of all z-transformed key risk indicators for a given period; the key risk indicators have been analyzed in the CA system.
We then analyzed each key risk indicator individually to determine which types of risks are most and least likely to improve with CA. Our descriptive results show that most key risk indicators have improved: sixteen out of twenty key risk indicators show a decrease through the length of key risk indicators, whereby the decrease ranges from 10% to 100%. However, our regression results indicate that CA usage significantly and negatively affects only twelve out of twenty key risk indicators. Each additional year of CA usage results in a 13% to 52% improvement in these key risk indicators. For example, on average, the company’s entities had 17.7 duplicate payments when implementing CA. Our empirical results indicate that the average number of duplicate payments per entity decreased by 1.08 for each year of CA usage.
The remaining eight key risk indicators that show no significant improvement capture bookings into closed accounting periods, the usage of suspense accounts, the value and percentage of cash discount losses, logins with an SAP-user holding infinite rights, unauthorized payment block removal or modification, failed automated receipt transfers, and open items on different accounts. One reason for the lack of significant improvement is that there is little to no room for statistical improvement because these key risk indicators were already close to zero. Also, most of these key risk indicators tend to improve; however, it is just not statistically significant. According to the company’s internal auditors, some key risk indicators show no improvement because they have not been considered critical by the audited entities, or an improvement may have required significant efforts that outweighed the potential benefits.
Conclusion
Overall, our study provides empirical evidence supporting the effectiveness of CA in reducing overall risk by improving specific key risk indicators. To our knowledge, we are the first to quantify the benefits of an existing CA system. We find that it takes an average of three years to show benefits regarding risk reduction. While CA improves most measured risks, it may not effectively address all types of risks.
The study emphasizes the importance of patience when implementing CA, as the benefits may take time to manifest. Additionally, it extends prior research in that it quantifies the actual benefits of CA, providing evidence of improvement in multiple key risk indicators and helping practitioners demonstrate the value added by the system. While we show that the effect of CA usage differs depending on the key risk indicator considered, it will be important to further understand why CA works for some indicators but not others in the future.
Marc Eulerich is a Professor at the University of Duisburg-Essen.
Benjamin Fligge is a Ph.D. student at the University of Duisburg-Essen.
Vanessa Lopez Kasper is a Ph.D. student at the University of Duisburg-Essen.
David A. Wood is the Glenn D. Ardis Professor of Accounting at Brigham Young University.
This post is based on their paper “Patience is Key: The Time it Takes to See Benefits from Continuous Auditing,” available on SSRN.
The study emphasizes the importance of patience when implementing CA, as the benefits may take time to manifest. Additionally, it extends prior research in that it quantifies the actual benefits of CA, providing evidence of improvement in multiple key risk indicators and helping practitioners demonstrate the value added by the system. While we show that the effect of CA usage differs depending on the key risk indicator considered, it will be important to further understand why CA works for some indicators but not others in the future.