Exploring Continuous Auditing Solutions and Internal Auditing

Research Question: Organizations increasingly buy standardized continuous auditing solutions from vendors rather than develop their own. What opportunities lie in exploring the adoption, implementation and application of such solutions in the context of internal auditing? Motivation: Extant literature has not fully examined the implications of this development and there are several interesting unexplored research questions in this area. Idea: We develop a framework for examining continuous auditing as an information system solution and link this to internal auditing. Data: We employ existing literature as data and build on similar frameworks from ERP systems and AIS research. Findings: The findings of the paper are a series of research questions for examining this relationship as well as a proposal for using different theoretical perspectives and methodologies. Contribution: The contribution is a new perspective on continuous auditing research that could move this research area forward and link it to current developments in the field.


Introduction
Advances in technology together with an increase in global commerce have stimulated the demand for a means to verify the integrity of financial transactions as well as other decision relevant data.One response has been the emergence of continuous auditing (CA) as a technology, a practice and the object of academic research (Brown et al., 2007;Bumgarner & Vasarhelyi, 2015).In the last few years a view of continuous auditing has emerged as a multidimensional construct, in that CA "consists of many diverse elements and may be implemented at various levels of sophistication.One of the key features is its ability to provide relevant information in more of a real time context.If a solution is installed, maintained, and utilized as intended, it has the capability to assist in mitigating or even preventing problems in identified risk areas" (Byrnes et al., 2015: 55).This perspective sees continuous auditing as an information technology-based solution, adopted and implemented in organizations to achieve certain business objectives.
There is growing acceptance of and investment in CA.KPMG's survey (2012) of the Europe, Middle East and Africa gauged the perceptions of 718 company officials from boards of directors, finance, operational/line management, internal control and internal audit across 32 countries.89 percent of respondents understand the benefits from CA, and 81 percent believe CA will facilitate real-time operational assurance.They consider CA is most valuable in scenarios where processes are repetitive and susceptible to risk, such as financial management reporting.69 percent have adopted CA to some extent, varying from building the business case, to pilot projects, implementations in internal audit, and embedding CA across the organization.The major obstacle to adoption is seen as understanding the CA tools available.In the following 2 years, 85 percent of respondents expect to be engaged with CA to various extents.The number of vendors providing software to support continuous audit is expanding rapidly.Currently, over 50 software solutions are available on the market relevant to CA (Capterra, 2017).
The main users and proponents of CA are internal audit (IA) functions (Bumgarner & Vasarhelyi, 2015).Some studies have examined the IA function from a compliance perspective where the focus is on how technology is used in assisting IA in ensuring compliance with policies, standards and regulations.However, IA is a management function like any other with certain tasks, organization and impacts on behaviour.There seems to be potential in examining the impact of CA on IA from such a management perspective.We are also motivated by the fact that today companies purchase vendor supported platform-based solutions rather than developing bespoke solutions (Gartner, 2016;Granlund, 2011).Such continuous auditing solutions (CAS) are either standardized solutions bought from vendors or cloud-based solutions that are vendor based or open source.Similar developments seem to be ongoing in the field of continuous auditing solutions.More vendors are Vol.13, No. 4 entering the market offering and implementing integrated or stand-alone CAS containing standardized functionalities (Murphy et al., 2016).The markets for Enterprise Resource Planning solutions and Business Intelligence solutions for example are characterized by these developments (Granlund & Mouritsen, 2003;Granlund et al., 2013).There seems to be more potential in researching the adoption, implementation and use of such solutions than has been addressed today in the literature (Brown et al., 2007;Chiu et al., 2014), which is another motivator for this research note.Such research is important for at least three reasons.First, as acquisition and implementation move away from bespoke solutions towards standardized vendor supported solutions, companies need different implementation approaches and have to deal with similar implementation issues as when implementing other standardized solutions (Hobeck et al., 2009;Rikhardsson & Kraemmergaard, 2006).Second, vendors, consultancies and analytical firms define a certain view of CAS which is being adopted by firms (KPMG, 2012;PwC, 2014;Deloitte, 2010;Wheeler, 2015).Academics need to stay abreast of this development if their research is to have practical relevance.Third, if academia is to support IA in its endeavours to improve its practices it is necessary to frame it in a more detailed manner and examine it also from a management perspective.
By studying the literature on continuous auditing and internal auditing as well as some of the continuous auditing solutions in the market, this research note concludes by proposing a framework for studying continuous auditing solutions in connection to internal auditing as a management function.It includes the general component of any continuous auditing solution as well as the tasks, organization and behavioral impact of internal auditing.Drawing on this framework several future research questions are asked that together would move continuous auditing in a new direction.We also suggest how theory can be used to answer the research questions and urge researchers to use a variety of theoretical perspectives and approaches in focusing on this important research topic.This research note is structured as follows.The next section explores internal auditing as a management function.Section 3 presents continuous auditing in an information systems perspective.Section four presents a framework for continuous auditing research and poses several research topics for future exploration.Section five offers some concluding remarks.

Internal auditing as a management function
Internal auditing is an independent, objective assurance and consulting activity designed to assess the effectiveness of the control environment, add value, and improve an organization's operations (ICDF, 2003).As such it is a disciplined approach to evaluate and improve the effectiveness of risk management, control and governance practices and has received renewed attention in reaction to noteworthy frauds of the 21 st century, including Enron and WorldCom (IIA, 2009).The Sarbanes-Oxley Act of 2002 forced senior executives on a path of establishing objectives, identifying risks and establishing controls to mitigate risks (Coates, 2007;Matyjewicz & D'Arcangelo, 2004).
Like other functions such as accounting, marketing and sales, internal auditing is also a management function with certain management tasks, organization of activities and impacts on behaviour of organizational members (Rom & Rohde, 2007).These are further explored below.

Tasks of internal auditing
The overall aim of internal auditing is to ensure organizational governance which involves managing relationship among various organizational participants in determining the direction and performance of organizations (Monks & Minow, 2001).This aim is fulfilled by performing three main tasks: ensuring corporate accountability, performing risk management and establishing internal controls Ensuring corporate accountability encompasses a broad collection of tasks focused on the entire accountability framework for an organization.It includes the framework of rules, relationships, systems and processes employed by a corporation's stakeholders to ensure proper accountability for managerial and financial performance (Gramling et al., 2004;Carcello et al., 2011;ASX, 2014).Some governance control systems (like the audit committee and the internal control system) are internal to the organization, while others are externally imposed and enforced by regulation or legislation.The integrity and quality of capital markets for example depend on the reliability, vigilance, objectivity and effectiveness of corporate governance.An important aspect of carrying out the corporate accountability task is the audit report indicating an opinion whether the financial statements are free of material misstatements (Arens et al., 2013).It is essential to obtain appropriate and sufficient evidence to form and support that opinion.Related tasks include developing an audit strategy and an audit plan to produce evidence that may be used in forming an opinion on the veracity of the financial statements.
Another main task is risk management.This is defined by COSO (2004: 2) as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."COSO's framework determines that an organization's strategy, operations, reporting, and compliance objectives all have associated business risks resulting from internal and external events that may inhibit an organization's ability to achieve its objectives.Vol. 13, No. 4 Hence, risk management is enacted by organizations to identify, classify, monitor and respond to risks that may impact the organization's ability to achieve its mission and objectives (Olson & Wu, 2008;D'Arcy & Brogan, 2001;Beasley et al., 2005).This includes the creation of suitable policies for the identification, disclosure and mitigation of risks, and the design and implementation of a system of risk management and rigorous internal controls (ASX, 2014).
The third main task is internal control, defined as "a process effected by an organization's board of directors, management, and staff to provide reasonable assurance regarding achievement of the following objectives; i) effectiveness and efficiency of operations, ii) reliability of financial and management reporting, iii) compliance with laws and regulations, and iv) safeguarding of assets" (COSO, 2011: 3).Internal control is consequently any action taken by an organization to improve the likelihood that the objectives of the organization will be achieved.Management designs, implements, and maintains internal controls and financial reporting processes that produce timely financial and non-financial information.This includes for example separation of employee duties; independent verification of important employee activities; effective security measures to protect valuable assets; careful document design (capturing all relevant data), document handling and filing; and cash control measures, including reconciliations and limiting electronic access to accounts (Kranacher et al., 2010).

Organization of internal auditing
There are two aspects of organization when it comes to internal auditing.One is the organization of corporate governance, risk management and internal control throughout the organization; and the other is the organization of the internal auditing function itself.Today, the main organizational setup of corporate governance, risk management and internal control is along the three lines of defence (BEF, 2009).The first line -usually front-line functions -is responsible for managing risks and have techniques in place to demonstrate effective implementation of control.The second line monitors, reviews and tests effectiveness of first line controls.The third line independently evaluates and provides an opinion on the adequacy and effectiveness of both the first-and second-line approaches.This demonstrates how assurance activities coordinate to provide assurance to the board of directors, the audit committee, the chief executive officer, and stakeholders (IIA, 2014).This third line is the internal auditing function itself and its place in the organization.The IIA Practice Advisory 1110-2 (IIA, 2008) states that "the Chief Audit Executive should report to a level within the organization that allows the internal audit activity to accomplish its responsibilities".The internal audit function is considered a part of the internal control system of a company, yet it must remain an independent, objective assurance and consulting activity that supports and reports to a company's CEO and audit committee (Protiviti, 2009).
As for the organization of the internal auditing function itself one must consider the roles inherent in the IA function.These have been evolving in many organizational contexts since the early 1940s (Moeller, 2004) and currently include risk assessment, providing assurance regarding controls, compliance and consulting as well as operational-oriented work, with the objective of enhancing the organization's effectiveness or efficiency (Hermanson & Rittenberg, 2003).These roles are most often organized in a departmental form with an internal auditing manager and employees that take on one or more of these roles (Protiviti, 2009).

Behaviour and internal auditing
Behaviour and perceptions are important elements of governance, risk management and internal control.If the performance of internal auditing tasks does not result in change in behavior that lead to improvements in efficiency and effectiveness, then it offers little or no value.Quality and acceptance of a management function such as internal audit depend heavily on the way skills and experience of organizational members are used in the design and how the system relates to their needs (Algera & Koopman, 1984).The basic premise here is that like with any other management function, if tasks, techniques and organization can be designed and controlled, then behavior will change as well.Employees can be trained, given instructions, subjected to internal controls etc. but their behavior and the way they react to tasks and techniques is at their discretion.Behavior may thus transform the way tasks and techniques are supposed to be used into something else.
Becker's work on the economics of crime for example provides insights into how to deter dishonest behavior (Becker, 1974).Becker argues that an individual may be deterred from engaging in criminal activity when a higher fine (penalty) is imposed and there is a greater probability of detection.Hollinger & Clark (1983) established that employee deviant behavior is inversely related to the perception that the theft will be detected.This finding is significant as it suggests that increasing the perception of detection may be an appropriate approach to deter employee theft when compared to enforcing increased sanctions.The majority of fraud prevention and deterrence efforts are directed toward minimizing opportunity through the internal control environment.Along these lines, if implementing CA increases the perception of detection in an employee's mind (Vasarhelyi et al., 2010;Singh et al., 2014), then they are less likely to engage in fraudulent conduct.

Continuous auditing and the IA function
In contrast with the pure ex-post facto nature of the traditional audit process, the realor near real-time nature of continuous auditing provides an opportunity for immediate assurance either simultaneously or just after an event (Rezaee et al., 2002;Vasarhelyi et al., 2004).It provides an opportunity for controlling a process at the same time or just after the event and in certain cases the ability to correct the event, Vol. 13, No. 4 making it very different from a traditional audit.By automating transaction and compliance audit procedures, internal audit's attention is directed at more complex audit objectives, such as dealing with estimate and judgment verifications that require judgment and professional skepticism.Internal audit's primary role in such an environment becomes investigation of exceptions and reviewing audit procedures requiring judgment and professional skepticism (Vasarhelyi et al., 2004).

CA and the tasks of the IA function
Adopting CA results in changes to the manner internal audit performs its activities (Vasarhelyi & Halper, 1991).In a traditional audit, manual internal control and substantive details testing are periodically performed to evaluate management's assertions.In a CA environment these practices are automated and occur at more frequent intervals (Alles et al., 2006).In traditional auditing, internal control testing occurs in the planning phase and substantive testing occurs in the investigation stage of the audit (Vasarhelyi et al., 2004).These occur simultaneously in a continuous auditing environment and is a necessary process to support real-time assurance (Rezaee et al., 2002).Traditional audits rely on the use of sampling whereas CA can consider the entire population of transactions (Singh et al., 2014) thereby increasing the effectiveness of the audit.However, there is no assurance that all material errors, omissions, fraud, and internal control violations may be detected due to collusion and management override (ACFE, 2016).
The development of continuous auditing has brought with it a focus in internal auditing on the specific methods and techniques that can be applied when using information technology.Vasarhelyi et al. (2004) for example outline several techniques enabled or improved some of the methods available in CAS.These include continuity equations, transaction tagging, time-series and cross-sectional statistical analyses, automatic confirmations and control tags.These techniques work on the principle of detecting large variances or exceptions to established norms as they occur.Rezaee et al. (2002) demonstrates the use of audit data warehouses and audit data marts together with analytical tools.Groomer and Murthy (1989) implemented the EAM approach to capture information about exceptions and violations and Debreceny et al. (2003) used EAMs to develop alerts for ten potential types of frauds.Murthy (2004) examines the effects of adding continuous auditing processing to overall system performance and concluded that the effects may be detrimental without appropriate capacity planning.Best et al. (2009) proposed an MCL strategy that makes use of security audit logs, changes in master records and accounting audit trails to detect vendor fraud in SAP enterprise.Debreceny and Gray (2010) explored the application of statistical datamining to detect fraud in journal entries.Jans et al. (2013) used process mining to extract event logs maintained in an ERP system.Singh et al. (2013) examined the design and implementation of three separate continuous auditing systems that are based on audit data warehouses, analytical and visualization techniques.Kogan et al. (2014) developed a data level continuous assurance system and sample procurement data to monitor compliance with analytical procedures and rules applied to metrics of business processes.Singh and Best (2016) made use of a multi-visualization approach to present data visually to compliance personnel.Patterns, trends and correlations that may potentially remain undetected in text-based data may be exposed and recognized with less effort.
The impact of CA on IA tasks can lead to progress through the four stages of the audit maturity model (Vasarhelyi et al., 2012), which may enhance internal audits ability to evaluate existing and emerging risks on a proactive basis, thereby increasing its value proposition to an organization (Oringel & Aldhizer, 2009).

CA and organization of IA
An effective system of internal control reduces organizational risk to an acceptable level.Internal audit departments provide assurance on financial reports and implement and enforce effective control monitoring (Vasarhelyi et al., 2012).The organizational IT systems provide the underlying infrastructure for both transactional and monitoring systems (Vasarhelyi & Halper, 2002).High level organizational metrics are obtained from the monitoring infrastructure and serve to inform organizational performance.Continuous auditing utilizing monitoring processes and innovative analytics produce audit exception reports and alarms that are delivered to auditors and other stakeholders.The organization of the IA function would reflect this with internal responsibilities of monitoring source systems, configuring continuous audit setup, using external information and reporting to stakeholders.
As an organization progresses to higher levels in the audit maturity model proposed by (Vasarhelyi et al., 2012), techniques employed become more integrated across the organizational hierarchy resulting in greater cooperation among the various business units (De Aquino et al., 2008).Vasarhelyi et al. (2011) developed methods to predict the effect of technological changes in auditing in the next ten years.Their findings indicate that there is need to move from the current sampling-based audit techniques to one that continuously monitors the entire population of transactions, providing constant surveillance and instantaneous response.Such an audit will reduce the time necessary in identifying risks and allow more time for interpretation of the results.
The key to successful CAS adoption is for management to own and perform the process as part of its responsibility to implement and maintain an effective control environment.Since management is responsible for internal controls, they need to have a means to regularly determine whether the controls are operating as designed.Being able to identify and correct control problems on a timely basis improves the organization's control environment.An added benefit is that instances of error and fraud may be reduced (Protiviti, 2009).
An effective CAS implementation should reduce the amount of detailed testing that internal auditors are required to perform.A positive side-effect is that the internal Vol.13, No. 4 audit function may adopt a risk-based audit approach and focus on areas of the organization with the greatest need (Singh & Best, 2015).

CA and behavioral impact of IA
Fraud deterrence programs create an environment in which organizational stakeholders are discouraged from committing fraud.This is usually accomplished through a variety of mechanisms including the use of CAS (Vasarhelyi et al., 2010;Singh & Best, 2015).However, even the best of breed CA technologies may be circumvented by collusion or management override (ACFE, 2016).Therefore, when considering the entire organization, a paradigm shift from prevention to deterrence is required to create fraud-deterring environment (Albrecht et al., 2009;Kranacher et al., 2010).
A considerable effort has gone into investigating behavioral issues in relation to accounting information systems, including the impact of information systems and technology on individuals, organizations and society (Sutton & Arnold, 2002).Arnold et al. (2004) for example conducted a study on the use and effect of intelligent decision aids.They found a disparity when novice users are required to use highly intelligent systems for decision making purposes.Inexperienced users are negatively impacted by the system and these users do not learn by experience.Should an organization invest in a technological solution to supplement an expert internal auditor?In a competitive marketplace several opportunities as well as challenges exist and these need to be explored.For example, there may be a shortage of skilled experts and a such a solution may serve to reduce the burden of information overload on an organization's compliance personnel (Singh & Best, 2016).Organizations need to take steps to overcome barriers to implementation such as; corporate culture resistant to change, existing solutions and source data, lack of internal resources or skills and, budgetary constraints (KPMG, 2008).
Turning towards continuous auditing, the benefits of CA extend beyond that of meeting the demand for assurance.Efficiencies derived may facilitate organizational-wide coordination of internal audit and control activities, and improved communication and information exchange across departments and the organizational hierarchy (Abdolmohammadi, 1999).Associated costs may include costs of training employees, and changes needed for compliance across the valuechain.Benefits may include reduced anomalous and fraudulent activities, improved processes and control; however, it is anticipated that they (benefits) may extend well beyond these factors (Brown et al., 2007).
Despite the fact that auditing continuously may appear ideal, the impact on the operation of accounting information systems may not always be cost-effective (Chan & Vasarhelyi, 2011).Du & Roohani (2007) proposed a CA model that mirrors the traditional audit engagement period.In their model, the audit cycle commences when the auditor connects to the accounting information system and ends when the auditor disconnects, with multiple periodic connections being possible (for example, after a period of time has elapsed or a threshold number of transactions have been reached).Pathak et al. (2005) established that a CA model dependent on transaction volume may be more cost-effective, for example, an audit is triggered after a number of accounting transactions are entered into the accounting information system

Framework for researching continuous auditing solutions and internal auditing
A general definition of information technology is the use of computers, storage, networking and other physical devices, infrastructure and processes to create, process, store, secure and exchange all forms of electronic data (2019a).As indicated previously, CA may be defined from a variety of dimensions rather than by one single definition.These dimensions include the analytical methods used, the assurance level aimed for, the time interval between event and assurance, the assurance entity in question, a retrospective or predictive time focus, the sources of data, the chosen audit procedure and the choice of assertion (Bumgarner & Vasarhelyi, 2015).
Some research has focused on the business processes, rules and technical framework enabling continuous auditing practices (Kogan et al., 2014;Vasarhelyi et al., 2004).For example, there has been some focus on defining and clarifying the distinction between embedded audit modules (EAM) and stand-alone management control layers (MCL) regarding the underlying architecture.(Debreceny et al., 2005) describes in six case studies the EAM technological architecture in six ERP offerings.What characterizes these case studies is the level of technicality and programming involved in setting up the continuous auditing processes.Other authors address the advantages and disadvantages of these solutions (Groomer & Murthy, 2003) and how EAMs are implemented (Debreceny et al., 2003;Debreceny et al., 2005).This literature is practically focused and describes CA both in technological terms as well as in functional terms, how it can be used as well as challenges in implementation.In a similar vein, other technical issues in continuous auditing have been explored.For example, Rezaee et al. (2002) explore server technologies and data integration in the context of audit activities supported by CA.Analytical methods for arriving at an audit opinion using CA technologies have been examined (Srivastava & Mock, 2000;Gillett & Srivastava, 2000) and yet another strand of literature focuses on database technologies in the context of CA (Rezaee et al., 2002;Kogan et al., 1999;Borthick et al., 2001).
This technological focus is necessary and offers valuable and practical insights into configuration and use.It does, however, not look at the use of the technology in a broader information system perspective.An information system is a combination of hardware, software, infrastructure, processes and human resources organized to Vol. 13, No. 4 facilitate planning, control, coordination, and decision making in an organization (Britannica, 2016).There are different types of information systems in business with the classic typology being transaction systems (TS), management information systems (MIS), knowledge management systems (KMS), decision support systems (DSS) and executive information systems (EIS) (Laudon & Laudon, 2014).Such information systems are increasingly based on standardized, adaptable, packaged software that is implemented by a vendor or a consultancy (Rashid et al., 2002).This means that the implemented functionality of the system is going to be adapted to the requirements of the customer although it is based on a common architecture.
A recent market scan reveals that continuous auditing functionality is included in many vendor solutions (Murphy et al., 2016;2019c;2019d), thus highlighting the growing market for solutions in what the analysis firm Gartner currently calls integrated risk management (IRM) (2017; 2019b).This is a broad term encompassing solutions focusing on audit management, compliance management and legal management.These are either integrated in existing ERP system solutions such as SAP and Oracle or stand-alone solutions sold by an independent vendor.SAP GRC is an example of the former and Bwise and Galvanize (formerly ACL), and Enablon are examples of the latter.
Looking at the functionalities of the solutions above, it is apparent that they share characteristics with both MIS and DSS type of systems (Laudon & Laudon, 2014;Sharda et al., 2014) in terms of: (i) Data management including functionality for accessing data from different databases, processing it and making it available for monitoring and analysis.This also contains functionality for real time monitoring of data streams in enterprise systems and between different sources and destinations; (ii) Data analysis which comprises functionality for analysing and testing with the aim of arriving at an opinion; (iii) Process support which is functionality for supporting audit processes, legal processes, compliance processes with e.g.digital workbooks and access to standards; and finally (iv) Information delivery which is functionality for reporting and visualization of information through for example dashboards and scorecards.The presence of these functionalities is what comprises a continuous auditing solution (CAS) today.For example, the enterprise-wide Oracle Fusion GRC can be configured to have its own access to source systems with transactional data, and performs data analysis for monitoring, testing, and threat detection through pattern recognition as well as automatic segregation of duties (2018a).Information delivery is then handled through dashboards, visual alarms and reports (2018b).Also, the process support functionality included in some of the solutions shares similarities with knowledge management systems.This includes: (i) Documentation management, (ii) Content management and (iii) Knowledge sharing.
An example of a solution with process support functionalities is Enablon (2019e).This is a web-based solution that allows secure, traceable and auditable storing, sharing and managing of documents, with functionalities for setting up authorization trees, electronic signature validation and content changes tracking.
The development, implementation and evolution of CAS is closely linked to advances in information technology and systems.Subsequently, CAS is most effectively implemented in organizations that adopt a well-developed technology infrastructure (Chiu et al., 2014).Research in CAS therefore has to reflect on the implications of advances in technology, the changing audit paradigm, and its impacts on the organization.CA's role in internal audit is to enable auditors to automate the evaluation and adequacy of management's monitoring function and to perform control and risk assessments on a more frequent basis (IIA, 2016).Technology plays a key role by helping to automate the process.If differences between information systems are not taken into account, CA maturity models will assume that all CAS will lead to the same level of maturity which is not the case.The CAS perspective shifts the focus from internal and external auditors to management.Internal auditing has been the dominant perspective in the CA literature but from a technology and compliance perspective.An IS perspective enables researchers to draw on information system research and strengthen the theoretical underpinnings of CA.
Research in the discipline may link IS to changes in behaviors, use of innovative techniques, organization of CA and, outcomes such as financial performance improvements due to use of CA.
We propose that the relationship between CAS and IA should be framed as shown in figure 1 below.Similar frameworks have been proposed in other fields as focus for research (Mauldin & Ruchala, 1999;Rom & Rohde, 2007).In essence, we propose that, apart from researching the specific technologies that the CAS is based on, researchers should also focus on the broader aspects of CAS and (i) how it interacts with and impacts on the IA management function; (ii) how these are in turn affected by various contextual variables and (iii) what the outcome of adopting, implementing and applying CAS in various contexts has.This perspective is based on several tenets drawing on e.g.Rom & Rohde (2007).
On the left-hand side is the continuous auditing solution based on the functionality bundles described earlier.The adoption, implementation and application of this solution is impacted by what solution is chosen but as more solutions are becoming configurable the configuration and characteristics of the CAS are in turn dependent on the implementation process.On the left is the view of IA as a management function performing certain tasks, organized in a certain way and impacting organizational behavior.These impact on the adoption, implementation and application of the CAS but are also impacted on in turn given the characteristics of the CAS.The adoption, implementation and application are impacted by the context of the organization including both internal and external variables.Finally, adoption, implementation and application create organizational outcomes given the characteristics of the CAS and the IA function.
Such an information system perspective may potentially enhance the theory behind CA in general.The information systems field offers a rich vocabulary, theoretical approaches and a large body of prior research that can frame and strengthen CA research.Many suggestions for future research in CA may be developed with reference to prior information systems research (Sidorova et al., 2013).Rather than providing a comprehensive list, this paper proposes examples of potential research questions based on figure 1 below.First each section poses different research questions after which various theories and methodologies to answer these questions are discussed.

CAS and IA
Internal auditing is conducted by a host of different people within the internal audit department.With the introduction of CAS in the organization, the role of the auditor is changing.Do the IA team possess insights into the new possibilities offered by standardized CAS? Research is needed on how the role of the IA team is changing with the introduction of CAS.What skills do they need?What is the impact on the design of audit techniques?Another aspect to consider is the role of IA as a governance mechanism.Integrated and stand-alone CAS are taking on new roles in the organization.IA may no longer be the sole domain of the internal audit department.How will this impact on the role of the internal auditor?Will this role merge with other roles, for example, IS audit, quality audits and compliance audits?Asking auditors to change their mind-set from performing traditional audits to relying on automated audits may also pose challenges.Auditors may be required to undergo training to adjust to the changing job role.How can training be conducted to assure that auditors are familiar with the CAS environment.Does this have an impact on their credentials, performance evaluations or role in the organization?
Apart from how CAS will change the IA function other questions concern how CAS will impact the tasks performance of IA.How does the use of CAS impact the role and decisions of auditors and audit committees when it comes to corporate governance, risk management and internal control?In this context a specific focus on enterprise systems could be interesting.As these systems are becoming ubiquitous in the modern business environment, the data integration between CAS and enterprise systems should be studied given that the underlying financial data is the basis for CA alarms, alerts and exception reporting.Furthermore, an CAS may be integrated along different dimensions such as: data, hardware/software and information.Such integration creates its own challenges regarding for example internal controls.
An in-depth understanding of the behavioral implications of implementing and applying CAS is required.More research on specific design considerations is needed, for example, how are CAS designed and implemented in practice and how do these designs affect the behavior of employees and management?As CAS deployments increase will this lead to a decrease in the number of audit practitioners?How does this effect the audit discipline, and will there be a significant decline in graduates entering the profession?Colleges may need to focus their audit programs on automation, project management, systems and software development and data analytics as future IA roles may no longer focus on contemporary discipline knowledge.A key challenge facing organizations is attracting and retaining high quality professionals (Allen et al., 2008).How will job stressors such as role ambiguity or role conflict, potentially introduced by CAS, affect retention and influence employee turnover?Research is needed to examine issues related to career mobility and transition from traditional audit to roles requiring more technical proficiencies.In the current technologically evolving work environment, the need for employees to learn new skills effectively and efficiently is constantly increasing., 1995) relevant in understanding the determinants of organizational adoption of CAS?In addition to the factors typically affecting adoption of IS innovations, including organizational readiness, external pressures and perceived benefits, are there any specific factors affecting CAS adoption?Do cultural factors affect the way in which people interact with CAS?

Context
The adoption, implementation and application of CAS are affected by contextual forces.The undeniable power of organizational politics is an example.CAS projects are mostly strategic which implies that the commitment and support of management are not optional.Other factors include organization size, knowledge and culture which play a vital role for CAS implementation success.In the modern technological age, the idea of "time" has undergone a revolution that has crashed timelines in an unprecedented way.While organizations in the post-World War II period experienced relatively long and slow growth/decline periods; currently, large firms may rise and fall in matter of few months (for example: Snapchat and Nokia).
Academic research is sometimes intent on developing complex representative models and sophisticated terminologies, while practical implementation carries its own set of complexities.For example, implementing CAS in a telecommunications company is very different to a financial consultancy firm.In the first case, CA has many layers: firstly, CA at the service level may entail comparison of Call Detail Records ensure that calls, SMSs, data and other value-added services are being technically charged correctly.Secondly, CA on the financial level, includes billing of suppliers and customers.The third layer may involve CA for the sales process, such as controlling subsidies for dealers and sub-dealers.A fourth layer is CA for compliance to ensure that Federal Communications Commission rules, for example, are being met.On the other hand, a financial consultancy firm may only require one of these layers.The design and success of these practical applications can be enhanced by targeted research.
Researching other context variables can bring with them important insights into the relationship between CAS and internal audit.The acceptance of technologies is a significant concern in organizations that have developed or implemented information systems.The Technology Acceptance Model (TAM) assumes that perceptions about usefulness of a technology is driven by the user's attitude towards the technology (Davis, 1989).Research is needed on what factors influence individual acceptance and use of CAS?What system characteristics influence acceptance, for example, usefulness, ease of use or control.What individual characteristics influence acceptance, for example, expertise, personality traits or computer anxiety.Are there any external factors, such as, training, management support or task characteristics that contribute to acceptance?The success of a CAS implementation is driven by use outcomes.System use therefore may be a necessary precondition for the measurement of success.This, however, needs to be determined by further research.If CAS is adopted, does this lead to more effective and efficient internal audits?Other factors driving demand for CAS include Sarbanes-Oxley Act and the need for reliable financial disclosures.Will the demand factors lead to more CAS implementations?Studies of actual implementations are needed to provide such empirical evidence.As CAS become more prevalent, the need for formalizing accounting and audit standards becomes essential.The audit profession relies on professional judgements.CAS is implemented in computer software that requires clear definitions and rules.What guidelines can standards setters provide to allow for effective implementation of CAS? Can audit standards be revised to ensure audit quality is maintained?Big Data is presenting a challenge for the accounting and audit functions in many organizations (Moffitt & Vasarhelyi, 2013).How can evidence from large, volatile and rapidly expanding datasets be incorporated into IA in general and CAS in particular?What types of evidence will such datasets contribute to the audit process (Alles & Grey, 2016)?

Outcomes
An important issue is what outcomes the adoption, implementation and application of CAS has for IA and for the organization as a whole.Several frameworks exist which discuss the relationship between investments in information systems and performance which could be applied to CAS investments (Barua et al., 1995;Dehning & Richardson, 2002).For example, what is the impact of CAS investment and innovation on organizational value, productivity and organizational efficiency?CAS will automate and replace some manual tasks.Are there targeted cost reductions?Does CAS implementation drive further cost reductions as systems are deployed organizational-wide.What impacts do CAS projects have on IA, for example: efficiency, improved assurance, and perceived value of IA to the organization, and on the organization as a whole.Does a CAS lead to improvements in organizational performance in terms of service provision, profit or market value, and under what circumstances?The decision to implement CAS is influenced by technological, organizational, and inter-organizational factors (Chwelos et al., 2001).The outcomes may potentially be recursive, that is, they may further influence the above-mentioned factors.Further studies are required to determine whether this is the case.How does CAS impact on the organization's governance practices, in particular, internal audit?What methods are required to evaluate performance effects of CAS on internal audit task performance?

Theoretical perspectives and methodology
Information systems theory offers a rich selection of theories which can be used to examine the links shown in figure 1.These include the TAM (Davis, 1989), the diffusion of innovations (Rogers, 1995), The model of Information System Success Vol. 13, No. 4 (Delone & McLean, 2003), the Theory of Technological Dominance (Arnold & Sutton, 1998) to name a few.However, instead of listing different theories we here offer some thoughts on the use of theory and methodology in answering the research questions above.
As Burton-Jones et al. (2015) describe, theories can have variance, process or systems perspectives.Theories with the variance perspective aim to explain, predict or understand variances, variations, differences and covariations of properties of entities in a system.Theories with a process perspective aim to explain, predict or understand sequences of events and how entities involved in these events are affected.Theories with a systems perspective aim to explain, predict or understand overall system components, emergence, interactions and feedbacks.We would encourage researchers to adopt and develop theories with all three perspectives when thinking about the research questions above.Although the trend in some disciplines is to focus on variation perspective theories our understanding of a phenomenon is enhanced by applying all three perspectives either separately or mixed as Burton-Jones et al. (2015) suggest.Below we show how applying the different theoretical perspectives shapes how some of the research questions posed above are addressed.
1. Is buying a packaged CAS the best option or should elements of CAS be developed inhouse or used as open source?1.1.Variance theory perspective: Use or develop theories that help us explain, predict and understand differences between adoption patterns, outcomes and variables such as industries, company size and cultures.Here a quantitative survey methodology could be applicable with statistical analysis of results.1.2.Process theory perspective: Use or develop theories that help us explain, predict and understand the sequence of and relationships between adoption, implementation and application events and how they affect outcomes in different types of CAS implementation projects (e.g. standard system, bespoke system, cloud-based system).A multiple case study could be applicable as a methodology 1.3.Systems theory perspective: Use or develop theories that help us explain, predict and understand the system of events and actors that comprise the entity adopting and implementing different types of a CAS.This could include a focus on the properties of each entity and actor, the interaction between them as well as with the context of the predict and understand the properties of the skills needed, the properties of the audit teams needing these skills and the entities and actors comprising the system in which these skills are employed.A qualitative approach would be applicable here or a grounded theory approach focusing on using the empirical data to develop system-based theories about these properties and relationships.3. Does a CAS lead to improvements in organizational performance in terms of service provision, profit or market value, and under what circumstances?3.1.Variance theory perspective: Use or develop theories that help us explain, predict and understand differences in the links between CAS, organizational performance and the context of the organization.Organizational performance can be defined in a variety of ways including financial performance, efficiency, effectiveness, employee wellbeing, and social responsibility.The context of the organization can also be defined in terms of different variables including perceived uncertainty, size, political stability and culture.Such research could apply broad scale quantitative surveys and advanced statistical analysis to discern these relationships and develop theories about them.3.2.Process theory perspective: Use or develop theories that help us explain, predict and understand the processes in the implementation and application of different CAS that impact the different dimensions of organizational performance.This could focus on understanding these through in-depth case studies as well as comparing them across industries and contexts in comparative case studies.3.3.Systems theory perspective: Use or develop theories that help us explain, predict and understand the properties and interactions of the system surrounding the implementation and application of CAS in the context of organizational performance.This could use in-depth case studies to explain and understand different components of the system including audit teams, audit objects, the information system on which the CAS is based, the results of the audits, the application of audit results in improving performance, the impact on variables that drive performance and value creation in the Vol.13, No. 4 organization.A holistic methodological approach applying for example actor network theory or similar types of approaches could be applicable in this context.
The above shows how different theoretical perspectives could be applied to answer three of the research questions posed above.Similar application could be done for the rest of the questions.We would urge researchers to perform future research of the links shown in figure 1 using a variety of theoretical and methodological approaches and perspectives.A diverse theoretical and methodological approach will enrich our understanding of this important research topic.

Concluding remarks
Advances in technology and a growing demand for continuous auditing is making significant impact on the role of internal auditing.Continuous auditing fundamentals, theories and technologies are widely documented in the extant literature.In the last few years a view of continuous auditing has emerged as a multidimensional construct, in that CA consists of many diverse elements and may be implemented at various levels of sophistication.Globally, organizations consider CA as a valuable in scenarios where processes are repetitive and susceptible to risk.There is widespread acceptance, a growing demand for, and increasing investment in CA.However, CA is not only a technology-based tool that automated parts of the traditional audit but an information system that is of value to a broader set of stakeholders in the organization.A major stakeholder that is instrumental in the adoption and implementation of continuous auditing solutions is internal auditing.This management function is an independent, objective assurance and consulting activity, designed to support corporate governance, assess the effectiveness of the control environment, add value, and improve an organization's operations.Given the growth of and widespread implementations of various information systems, the role of this function in assuring integrity of decision relevant information in the organization has gained importance.
This research note was first of all motivated by the wish to provide some additional perspectives on continuous auditing research.Extant research focuses on how CA is used in assisting IA in ensuring compliance with policies, standards and regulations.
Researching how internal auditing uses CAS to improve its tasks, organization and impacts on behavior in a broader management context could provide a deeper understanding of development and outcomes of current CAS applications.Secondly, current research could benefit from examining information technology acquisition and implementation practice as it stands today in the light of information systems theory.Thirdly, a holistic focus on the links between CAS, the IA function, context and outcomes could provide academics and practitioners with valuable information about the impact differences in contextual variables, implementation approaches,

Figure 1 :
Figure 1: A framework for researching CAS and internal auditing as a management function (Goode, 2005;Subramaniam et al., 2009) that IS developments, including CAS, are aligned with organizational goals.Research is needed on what factors influence short-term and long-term alignment.Do the factors found influential in achieving alignment of IS developments generally also apply to CAS projects(Reich & Benbasat, 2000)?What information systems related risks need to be managed in CAS projects?Is buying a packaged CAS the best option or should elements of CAS be developed inhouse or used as open source?When CAS are developed rather than purchased, how can CAS project success be measured?What factors influence successful development, implementation and acceptance by the organization?What purchased software options are available to organizations, and what are the potential benefits and costs of open source solutions?Are issues such as cost, support, source code access, reliability, learning curve, compatibility and licensing relevant to acquisition decisions in the context of open source CAS(Goode, 2005;Subramaniam et al., 2009)?What factors might influence an organization to outsource its CAS? Are there any specific CAS issues relevant in the outsourcing Vol. 13, No. 4 decision-making process, and the management of outsourcing engagements?Is Rogers' Diffusion of Innovation model (Rogers Use or develop theories that help us explain, predict and understand differences in or impact on skills required in audit teams applying for example packaged CAS, open source CAS bespoke CAS, cloud-based CAS and audit teams that do not use CAS.Analyze this in connection with contextual and outcome variables such as industry, size and performance.Survey methodologies seem appropriate, either questionnaire based or standardized interviews.2.2.Process theory perspective: Use or develop theories that help us explain, predict and understand the sequence of events that impact on skill application and development in different CAS use contexts.This could focus on the performance if audit tasks described above and how different skills are needed, applied and develop interacting with different types of CAS.Comparative case studies using both quantitative and qualitative data collection methods would seem applicable in this context.2.3.Systems theory perspective: Use or develop theories that help us explain,