Continuous auditing and the market for monitoring costs

(1)

monitoring costs

Student name: Nick Nijenhuis Student number: S3519899

Track: MSc Organizational & Management Control

Supervisor: Prof. A. Bellisario Co-assessor: Prof. dr. I.J.J. Burgers

Date: 24-06-2019

(2)

2 Abstract

Organizations are under constant pressure by internal and external stakeholders to improve the reliability and accountability of their information. These pressures increase the demand for a more sophisticated quality-assuring devices such as continuous auditing (CA). CA enables organizations to provide assurance in a timelier manner than traditional audits. It is a well-known subject by academia, but CA’s adoption by practitioners has lagged behind expectations. Research has primarily focused on technological aspects to explain this phenomenon, however CA has been argued to be demand-driven. Using a maximum variation sampling strategy, this study contributes by using case studies within three organizations and four consulting firms to explore the managerial motives that drive the demand for CA technology and practices. This paper concludes that managers use CA in effort to create internal and external synergies, thereby increasing audit efficiency. While external synergies through external auditor reliance is posited by prior literature, this research suggests that these synergies cannot be taken for granted. Additionally, increased audit effectiveness through improved thoroughness and responsiveness leads to increased audit quality which is another managerial motive to use CA. From an agency theory perspective, reducing monitoring costs and agency costs are the main managerial motives to use CA. This paper furthermore suggests multiple fruitful avenues for future research with regard to increasing the firms’ external auditor reliance and the development of hybrid CM/CA frameworks.

(3)

3

1. Introduction

The digital era is enabling companies to use a vast amount of data within their decision-making process (Dzuranin & Mălăescu, 2016). In order to do so, companies are increasingly leveraging information technology to process available data. Technologies such as the advent of enterprise resource planning (ERP) enable continuous, real-time processing of information for decision-making purposes (Chan & Vasarhelyi, 2011). Besides the demand for real-time information, the information provided should be free from material errors, omissions and fraud (Chan & Vasarhelyi, 2011; Coderre, 2006). In addition, Malaescu and Sutton (2015, p. 96) postulate that “companies are under constant pressure to improve the reliability and accountability of their financial information in order to comply with regulatory bodies and to compete for capital in the evolving global business environment”. Pressures that are exerted on organizations have increased the demand for a sophistication of the audit profession (Masli, Peters, Richardson, & Manuel Sanchez, 2010). Alles, Kogan and Vasarhelyi (2002) posit that the auditor’s ex post ‘archival audit’ will inevitably be supplemented, or even replaced, by a more timely and continuous semi supervisory function. Similarly, Pricewaterhousecoopers (2018) suggest that auditors have to adapt to disruptive information technologies in the digital era and that the “internal audit departments must shift their underlying methodologies to more ongoing, continuous, or real-time modes of audit”. Finally, Vasarhelyi (2008, p. 228) adds that “it is up to accounting researchers – especially those in accounting information systems – to embrace change and assert the role that they have by removing the “traditional” label from accounting in the “now” economy”.

Continuous auditing (CA) is a methodology that enables auditors to provide assurance simultaneously with, or a short period of time after the occurrence of a business transaction (Vasarhelyi, Alles, Kuenkaikaew, & Littley, 2012). Coderre (2006) states that CA involves automated routines to provide assurance on accounting transactions and report unusual variations, exceptions and control violations. Vasarhelyi et al. (2012) adds to this discussion that CA’s goal is to reduce the latency between the occurrence of the transaction and the provision of assurance. The methodology relies on information technologies such as enterprise resource planning systems, data analysis and other comparable technologies. Besides CA, researchers as well as practitioners are referring to comparable concepts such as continuous monitoring (CM) and continuous assurance. This research is specifically referring to CA to provide clarity and to avoid conflict. The difference between the concepts of CA, continuous assurance and CM will be further elaborated in the literature review.

(5)

5

(Hunton, Mauldin, & Wheeler, 2008), and that it is an effective method to deter fraud (Gonzalez & Hoffman, 2018; Kuhn & Sutton, 2006). In addition, Elliot (2002) suggests that more frequent and higher quality audits are able to reduce the cost of capital and Botosan (1997) finds evidence of this matter. Considering the positive associations with the use of CA, one might suspect widespread adoption of CA within organizations over the last decade. In contrast, practitioners postulate that organizations are minimally implementing CA (Deloitte, 2010; KPMG, 2010). This notion is supported by Gonzalez and Hoffman (2018) who state that the adoption has lagged behind expectations.

In order to understand why CA adoption is lagging behind expectations, multiple studies were conducted (e.g. Rikhardsson & Dull, 2016; Vasarhelyi, Littley, & Williams, 2014). However, the aforementioned studies focus primarily on technological factors that might influence the adoption of CA. Alles et al. (2002) suggest CA is not a function of technology, but rather a function of demand for more timely assurance. This demand is partially created by the managerial decision whether the use of CA creates value for the firm. Kogan (1999) adds that the market demand for CA is closely

associated with the benefits and that a clear understanding of these benefits from a managerial aspect would be valuable. This is consistent with Hunton et al. (2008) who suggest that special attention should be paid to understanding managerial motivations with regard to quality assuring devices such as CA. Therefore, the goal of this study is to explore the managerial motives to use CA and it is doing so by mobilizing a maximum variation sampling strategy. This study is contributing to a growing body of literature on continuous auditing by answering the following research question: “What are the managerial motives of using continuous auditing (CA) and thereby improving audit frequency?” The findings show that managers have the motive to create internal and external synergy and thereby increasing audit efficiency. Also, managers have the motive to increase audit effectiveness and audit quality by using CA.

The remainder of this paper is structured as follows: the next section highlights the relevant theoretical lens that is required to understand the mechanism that is used in this paper.

(6)

6

2. Theoretical background

2.1 Theoretical framing

For understanding the demand for more timely auditing practices, one must first understand the demand for auditing practices in general. Researchers emphasize the role of agency theory for explaining auditing activities (Adams, 1994; Antle, 1982; Parkash & Venable, 1993; Watts & Zimmerman, 1983). Therefore, this study follows the assumption that agency theory is considered most relevant to explain the demand for auditing activities (Deangelo, 1981; Wallace, 2004). Thus, agency theory will be mobilized as a primary theoretical lens in this study.

2.1.1 Agency theory

The stream of agency theory initially started with Coase (1934) asking the question “why do firms exist?”. Coase (1934) views the firm as a nexus of contracting relationships among individuals that attempt to economize on transaction costs (See Williamson, (2002) for further elaboration on transaction costs). Economizing on transaction costs is generally done by bringing transactions inside a firm rather than buying them from the market. The firm can thus be recognized as a legal fiction and the individuals as agents of labor. Consistently, agency theorists view the firm as a “black box” with inputs and outputs to maximize the present value of the firm for the owners (Jensen & Meckling, 1976). Jensen & Meckling (1976) posit that individuals with hundred percent ownership of the firm will have no interest to diverge from the firm’s primary interest of wealth maximization. However, when separation of ownership and control occurs within a firm, interests diverge between the owners of the firm. Owners might pursue their own interest above the firms’ main interest of profit maximization, thereby generating agency costs for the firm. The same situation can be perceived if responsibilities are delegated from the principal (owner) to agents (manager), as agents might pursue their own interest. However, it is possible to decrease the opportunity that the agent has to capture benefits for their own interest. Methods to decrease this opportunity “include auditing, formal control systems, budget restrictions, and the establishment of incentive compensation systems which serve to more closely identify the manager’s interests with those of the outside equity holders” (Jensen & Meckling, 1976, p. 323). The aforementioned methods are classified as monitoring costs. These methods are used to reduce the agency costs incurred by the conflict of interests between owners and managers (Jensen & Meckling, 1976; Watts, 1977).

(7)

7

classified as monitoring devices that are demanded because of the conflicts of interests between the owner (principal) and manager (agent) (Deangelo, 1981). Deangelo (1981) among others (e.g. Wallace, 2004; Watts, 1977) argue that the provision of assurance by auditing financial statements is the least costs solution for the agency problem caused by a separation of ownership and control. Besides monitoring methods from principals (i.e. owners), agents (i.e. managers) engage in bonding behavior to legitimize their actions (Jensen & Meckling, 1976). Benston (1980) suggests that owners and managers bear the costs when stakeholders fear that those in control operate contrary to the firms main interest of wealth maximization. Jensen & Meckling (1976) suggest that agents therefore expend resources to guarantee that their interests will not diverge from the principals’ interests. Examples of bonding costs are expenditures on audit committees, non-executive directors and internal auditors (Adams, 1994). Adams (1994, p. 10) suggests that “agency theory contends that internal auditing helps maintaining cost-efficient contracting between owners and managers”.

To summarize, the demand for auditing activities can be understood in the context of agency theory because auditing reduces agency costs. The owners of the firm demand auditing activities as a monitoring mechanism to reduce the opportunity of the agent to engage in self-serving behavior. The agent demands auditing activities as a bonding mechanism to ensure external stakeholders that their interests are aligned with those of the firm. Watts and Zimmerman (1983) suggest that the pervasiveness of the bonding mechanism is increased by developing quality-assuring devices that increase the probability that a breach in a contract is detected. Continuous auditing can be considered as a quality assuring device that increases the probability that a breach is detected. It therefore functions as a bonding mechanism for agents as well as a monitoring mechanism for principals. The theoretical background in the next section explores relevant literature on continuous auditing.

2.2 Literature background

In order to understand relevant literature on continuous auditing, one needs to clarify the concepts that are closely related to continuous auditing. In prior literature, scholars use a variety of terms to describe work in the area of CA, for example: continuous monitoring, continuous auditing, continuous assurance, real-time auditing and a variety of other terms (Brown, Wong, & Baldwin, 2007). Some authors make a distinction based on the activity that the terms refer to, while others use the terms interchangeably. According to Alles et al. (2002, p. 126), “it is not surprising that there is a lack of clarity on these matters, giving the evolving state of these concepts”. This study will distinguish between the terms continuous monitoring, continuous auditing and continuous assurance in order to provide clarity and to avoid conflict.

(8)

8

2.2.1 Continuous monitoring, continuous auditing and continuous assurance

The aforementioned definitions have one common element: the activity performed should be “continuous”. But what exactly does “continuous” mean in this context? When is auditing, monitoring or providing assurance to be considered as “continuous”? Alles et al. (2002) suggests that the notion of “continuous” comes from a difference in: 1) how transactions are monitored, 2) analyzed and 3) provided with assurance by reporting the outcome of the analysis. Regardless of the frequency of reporting the outcome, CA stems from the belief that the provision of assurance, whether mandated or not, should “reflect and take advantage of the new real-time enterprise systems that companies are installing” (M. G. Alles et al., 2002, p. 126). Furthermore, Alles et al (2002) suggest that the fundamental point of providing assurance to transactions is undertaken because it facilitates other processes and third parties.

The continuous character of monitoring, auditing or providing assurance thus depends on the demand for assurance by the person that is willing to receive and pay for it (assuree). In the current way of providing assurance to transactions, the person providing assurance (assuror) will capture the information required, analyze and subsequently communicate the outcome periodically or on a case-by-case basis. The provision of assurance is therefore a costly process. If the assuree demands a higher frequency of assurance provision, and is therefore willing to pay for it, a prerequisite for “continuous” monitoring, auditing or a provision of assurance exists. The true value of ‘continuous’ assurance is therefore located in the efficiency of the provision of assurance by leveraging information technology (M. G. Alles et al., 2002). Moreover, Brown, Wong and Baldwin (2007) suggest that the incremental cost of providing assurance to more transactions is relatively small since information technology is leveraged. The notion of “continuous” thus comes from providing assurance to transactions by leveraging technology and enabling economies of scale to increase efficiency.

(9)

9

is meant to assess whether the organization is operating effectively. Auditing, however, whether this is internal or not, comprises an assessment of the organization their capability to identify, control or mitigate and monitor risks (Coderre, 2006; Verkruijsse, 2019). It is therefore not a function that is owned by the management of an organization, but rather by an independent party other than the management itself. Subsequently, “assurance can be considered to be an opinion to a third party regarding the state of affairs” (Coderre, 2006, p. 7). It is therefore the outcome of the audit assessment that is based on the monitoring capability of the organization.

When applying information technology to traditional monitoring, auditing or assurance services, the concepts of continuous monitoring, continuous auditing and continuous assurance arise (M. G. Alles et al., 2002). By implementing continuous monitoring, the management of an organization obtains the capability to receive information about their internal control system in a more timely matter (Brown et al., 2007; Kogan, Sudit, & Vasarhelyi, 1999; Verkruijsse, 2019). Continuous auditing enables the auditor to assess the management’s continuous monitoring capability on real-time basis, rather than a case-by-case basis (M. Alles, Brennan, Kogan, & Vasarhelyi, 2006; Coderre, 2006). Continuous auditing can therefore be defined as the application of information technologies to traditional audit services (M. G. Alles et al., 2002). Continuous assurance is subsequently the outcome of a continuous assessment of the monitoring capability of the organization (Coderre, 2006). The distinction between continuous monitoring, continuous auditing and continuous assurance is also given in a conceptual way in figure 1 below.

Figure 1: Conceptual model directly sourced from Coderre (2006).

(10)

10

assurance is costly when the provision is done case-by-case without leveraging information technology. Therefore, in order to understand why companies would supplement or even replace their audit function by a more timely and continuous supervisory function, one should understand what drives the demand for continuous auditing technology and practices.

2.2.2 The demand for continuous auditing

Prior literature on the demand for CA technology and practices suggest that improved monitoring capability seems to be the main driver of demand for CA (M. G. Alles et al., 2002). External parties such as stake-, share- or bondholders exert pressure on the firm to provide assurance. The aforementioned parties expect a form of assurance because for information to be useful, it should be free from material errors, omission and fraud (Chan & Vasarhelyi, 2011). For example, stakeholders require firms to provide assurance on financial statements by hiring an external assuror (Elliott, 2002). In addition, banks also require a form of assurance on the statements required for an organization to take out a loan. This view is consistent with agency theory that states that audit services are demanded as a monitoring device by principal (stake-, share and bondholders) because of the potential conflict of interest (Deangelo, 1981). Researchers postulate that the demand for more continuous forms of auditing is increased as a response to numerous financial scandals (Daigle & Lampe, 2005; Kogan et al., 1999; Kuhn & Sutton, 2006; Vasarhelyi, Kogan, & Alles, 2002). CA is considered to be an effective fraud deterrent (Braun & Davis, 2003; Elliott, 2002; Flowerday & Solms, 2005; Gonzalez & Hoffman, 2018). Since financials scandals can be considered as a breach in the contracting relation between the principal and the agent, it drives the demand for CA. Similarly, Vasarhelyi, Kogan & Alles (2002) posit that CA might have prevented the ‘Enron mess’ because CA would have been able to detect the breach in a more timely matter. Researchers also agree upon the statement that CA increases audit quality, and therefore it increases the monitoring capability of the principal or the bonding capability of the agent (Kogan et al., 1999; Rezaee, Sharbatoghlie, Elam, & McMickle, 2002; Rikhardsson & Dull, 2016). In that case, an important prerequisite for increased monitoring quality is whether the person demanding increased audit quality is willing to pay for it.

(11)

11

Hunton et al., 2008) is that the frequency of demand for more timely audits will increase if companies move towards real-time (financial) reporting. However, since there is a high price-elasticity for higher quality and more frequent audits, it is important to understand the potential benefits of continuous auditing. Therefore, the next section will explore the potential benefits of CA.

2.2.3 Potential benefits of continuous auditing

(12)

12

cost of providing assurance to more transactions is relatively small when information technology can be leveraged. Similarly, Kogan et al. (1999) suggests that technology makes monitoring cheaper. Thus, CA would decrease agency costs of moral hazard and adverse selection, while only marginally increasing the monitoring or bonding costs incurred by the principal or agent. Following Alles et al, it is however ambiguous who should yield the benefits of increased information symmetry and reduced principal-agent friction. Similarly, it is ambiguous who should pay for the costs that are incurred for increasing the quality and frequency of assurance (M. G. Alles et al., 2002). This ambiguity is demonstrated in the current adoption of CA technology and practices, as will be shown in the next section.

2.2.4 Adoption of continuous auditing

For decades, researchers have suggested that CA has potential and that it is gaining momentum (Koch, 1981; Kogan et al., 1999; Malaescu & Sutton, 2015; Pricewaterhousecoopers, 2006, 2018). However, practitioners suggest that organizations are minimally implementing CA technology and practices (Deloitte, 2010; KPMG, 2010). Moreover, little cases are known on the implementation of CA technology and practices: Siemens (M. Alles et al., 2006); Metcash Business Assurance Group (Hardy & Laslett, 2015) and AT&T (Vasarhelyi & Halper, 1989). Vasarhelyi et al (2012, p. 279) conclude that CA research is “strikingly contrasted with the PwC survey, which stated that a large number of companies had CA in place”. Vasarhelyi et al. (2012) undertook a micro-level study of the state of adoption of CA within multinational companies. They suggest that all companies were in the emerging stage but were not close to a full continuous audit. In a later study on the hindering factors for CA implementation, Vasarhelyi, Littley & Williams (2014) suggest that management support, perceived costs, regulatory environment and employee knowledge affect the adoption of CA technology and practices. Consistently, Gonzalez and Hoffman (2018) suggest that the actual adoption have lagged behind expectations. They conclude that performance expectancy, facilitating conditions and social influence are significant factors for organizations’ decisions to implement CM. As mentioned before, CM can be a prerequisite for CA, and therefore these factors might also affect the adoption of CA technology and practices.

(13)

13

not a function of technology, but a function of demand for more timely assurance. The literature is thus leaving a gap in explaining what constitutes the demand for more timely assurance by primarily focusing on technological aspects of CA. Hunton et al. (2008) suggests that there is a future research opportunity to increase knowledge of the underlying motivations of managers making the type of investment decisions related to continuous monitoring and continuous auditing. Therefore, this study focuses on the underlying motivations of managers that create the demand for increasing the frequency and quality of audits using CA technology and practices. It is thereby filling the void in the literature on the constituents of demand for higher frequency and quality audits. This study mobilizes agency theory to contribute to a growing body of research on continuous auditing practices by answering the following research question:

(14)

14

3. Method

3.1 Research approach and sample selection

Hunton et al. (2008) investigated the potential functional and dysfunctional effects of continuous monitoring using a quantitative research approach. They suggest that special attention should be paid in future research to increasing academic knowledge on the underlying motivations of managers to make IT related control investments such as CA. This research addresses Hunton et al. (2008) their research avenue by exploring the managerial motives to use CA, it is doing so by using qualitative research. Qualitative research studies phenomena using social actors’ meanings to understand the phenomena (Rynes, 2004). In this case, managers are the social actors and using CA to improve audit frequency is the phenomenon. The explorative perspective of the research question therefore makes this research most suitable for qualitative research.

The overall approach of this study is the use of multiple case studies (Yin, 2011). The approach of using multiple case studies is chosen because of the study’s central role of exploration (Otley & Berry, 1994). In addition, and consistent with Otley & Berry (1994), the exploratory role of this study goes beyond that of the description of managerial motives, but rather towards explanation of managerial motives. Ideally, this study would have used a homogeneous sample strategy as suggested by Patton (1990). The sample would consist of a homogeneous group of internal audit managers that adopted a form a CA. However, the homogeneous sampling strategy for this study is restrained by the adoption of CA (Deloitte, 2010; Gonzalez, Sharma, & Galletta, 2012; KPMG, 2010). As described in the theoretical background, CA is not widely adopted by practitioners and it is therefore difficult to create a homogeneous sample consisting only audit managers that adopted a form of CA. As a result, this study uses a maximum variation sampling strategy (Patton, 1990). The maximum variation sampling strategy allows this study to use a heterogeneous sample without losing its validity. It is doing so by the notion that any common patterns that emerge from the data are of particular interest and value to practitioners in the field of CA (Patton, 1990). In order to create a sample that has a maximum variation, this study identified diverse characteristics for constructing its sample. The characteristics that were used to create a sample with maximum variation are depicted in the table below and will be discussed in the next paragraph.

Table 1: Maximum variation strategy characteristics

1) Respondent characteristics 2)Organizational type

1 Internal audit managers that have adopted a form of CA within the audit department

Not for profit organizations For profit organizations 2 Consultants of big 4 consulting firms that have

(15)

15

The most important criteria for a respondent to be included in the sample is that the respondent has actual knowledge of CA. If this is the case, other characteristics apply in order to create a sample with maximum variation. There are three characteristics of respondents that help maximize the sample variation. Firstly, internal audit managers that have adopted a form of CA within the audit department can deliver first-hand knowledge on the managerial motives to use CA. It follows Rikhardsson & Dull’s (2016) aim to discern similarities and differences between managerial motives between companies that have implemented a form of CA. Since there is no prior literature on the differences and similarities of CA between for profit and not for profit companies, this study maximizes its sample by including for profit and not for profit organizations. Three companies were included in the sample of this study, of which two for profit companies, and one not for profit. Secondly, consultants of big 4 consulting firms are included in the sample because they have a large knowledge base on motives why companies adopt CA to improve audit frequency and quality. Prior research suggests that big 4 consulting firms are associated with larger clients (Lawrence, Minutti-meza, Zhang, & Minutti-meza, 2019). Since CA is most common at firms that have an internal audit department and are therefore categorized as larger firms, consultants must have big-4 consulting experience. This criterion lead to the inclusion of four respondents. Finally, the sample includes developers of CA technology. Developers of CA technology are likely to work with internal audit managers and can therefore address the managerial motives to use CA. This is consistent with Vasarhelyi et al. (2012) who suggest that internal audit departments employ developers to support the continual improvement of the internal audit. Two developers of CA technology are included in the sample.

(16)

16 Table 2: respondents

# Organization Industry Organizational

type Size Respondent characteristic Number of interviews Duration Observation

1 [redacted] Dairy Profit 22.000 Audit manager (1) 2 2 hours CM/CA dashboard

2 [redacted] Consulting Profit 200.000 Senior consultant (2) 1 1,5 hour

-

3 [redacted] Consulting Profit 160.000 Senior consultant (2) 1 1

-

4 [redacted] Consulting Profit 10 Consultant (3) 1 1 hour CM/CA dashboard and

mock-ups

5 [redacted] Banking Profit 55.000 IT auditor (2) 1 1 hour

-

6 [redacted] Motorcycles , Bicycles, And Parts

Profit 3.000 Data analyst / IT auditor (3)

1 1,5 hours

-

7 [redacted] Education Nonprofit 7.000 Audit manager (1) 1 2,5 hours CM/CA

dashboard

Table 3: Maximum variation matrix

1) Respondent characteristics # 2) Organizational type #

1

Internal audit managers that have adopted a form CA within their audit department (1, 6, 7)

Not for profit organizations

(7) For profit

organizations

(1, 6) 2 Consultants of preferably big 4 consulting firms that have experience with CA related control initiatives (2, 3, 4,

5)

(17)

17

3.2 Data collection

To provide stronger substantiation of the findings in this study, triangulation is applied by using three sources of data (Eisenhardt, 1989). Triangulation increases the validity by creating a greater understanding of the underlying mechanisms that apply to CA (Edmondson & Mcmanus, 2007). In this study, interviews are coupled with observation and initiating phone calls to collect well-rounded information for the analyses (Turner, 2010).

Before the aforementioned methods were carried out during the study, pilot interviews were held with two informants that had knowledge in the field of CA. The informants held positions as PhD researcher at the Tilburg University and partner at an accounting firm. Based on these interviews, potential organizations that use CA were identified, interview questions were structured and broad knowledge with regard to the application of CA was gathered.

(18)

18

3.3 Data analysis

The data analysis started with the transcription of the audio files of the interviews. For transcribing purposes and ensuring reliability of the data, the interviews were recorded unless the interviewee disagreed. Transcribing the interviews is important for the generation of insight, and within-case analysis of qualitative data involve detailed write-ups (Eisenhardt, 1989). Given the privacy related reluctance of some respondents to audio-record the interview, some interviews were transcribed using notes that were taken during the interview, memorable quotes and observations. The transcription process consisted of two steps. Firstly, the audio files were transcribed using a speech recognition program and thereafter mistakes in the transcripts were corrected. The transcripts were corrected in a way that every sentence conveyed the message of the informant and key words remained the same. The data from the hand-written quotes and memorable quotes were added to the data and analyzed collectively.

(19)

19

4. Findings

The structure of the findings section is based on the aggregate dimensions shown in the figure below. The figure shows how the findings were deduced from the transcripts, this leads to the managerial motives of implementing CA to increase audit frequency and quality. In order to elaborate further how the second order-concepts were deduced from the data, three additional quotes for each second-order concept are given in appendix 2.

Figure 2: Data structure

Before the aforementioned figure and its findings will be discussed, the varying role of CA within organizations as well as its varying implementation process will be discussed. These subjects are important to understand why certain comments of informants are made, and why CA may differ across organizations. Firstly, based on the interviews it became clear that organizations have different perspectives of what CA comprehends. Practitioners appear to struggle with separating continuous monitoring from continuous auditing and use both terms interchangeably as a result. As illustrated by the informant at [redacted]:

(20)

20

In this particular situation, [redacted] implemented a hybrid form of CM/CA by utilizing its system in its first line of defense (CM) as well as in its second and third line of defense. Therefore, it appears ambiguous whether their system was part of continuous monitoring or continuous auditing. In addition, other informants spoke of the implementation of continuous monitoring while their system was managed and implemented primarily by its audit department. This is illustrated below:

“We developed our CM system explicitly within the audit department” [Data analyst in the Motorcycles, Bicycles, And Parts industry]

Furthermore:

“Within [REDACTED] we refer to CA when the results lead to a form of assurance, but indeed, clients use both definitions interchangeably.” [Senior consultant, [REDACTED]]

Secondly, during the interviews it became evident that the implementation process and purposes of CA systems varies across organizations. Broadly speaking, two types of implementation processes could be observed within organizations. The first one being the internal audit department that utilizes the system that is developed by the business and the second one being the audit department developing a CA system primarily for its own. This is also emphasized by the following informant:

“While I was a consultant at Deloitte, I’ve seen a broad range of CA/CM systems that widely differed from each other. Most, however, are simply CM systems developed by the business and utilized by the audit department.” [Consultant at [redacted]]

In addition:

“I see that there is a large gap between organizations in terms of CA/CM development” [Manager internal audit, [redacted]]

(21)

21

[redacted] uses CA primarily for operational audits while the [redacted] only uses CA for financial audits.

Organizational differences in terms of the purpose that CA has within the organization can be explained by the fact that the underlying processes that firms are monitoring differ significantly. Therefore, every CA implementation is customized and could therefore differ with other organizations. The motivations that managers have and by implementing CA technology, however, are comparable. These motivations were deduced from the transcripts and will be explained in the next sections.

4.1 Increased audit efficiency

When informants were asked about the differences before and after the implementation of CA, it becomes clear that CA leads to increased audit efficiency through external and internal synergies. Managers recognize these synergies and are therefore enthusiastic about the changes that CA brought to the audit department.

4.1.1 Internal synergies

Internal synergies can be defined as processes where two internal departments are working together in a more efficient manner in comparison to the old situation. The implementation of CA lead in most cases to internal synergies where the internal audit department was able to collaborate with the business in a more efficient way. As illustrated below:

“The results of our analyses are sent automatically to the controllers who then have to clarify the deviations in the data.” [Manager internal audit, [redacted]]

In this particular case, the CA system was continuously running analyses if certain business processes had no deviations in comparison with the norm. If there were deviations, a periodic report was sent to the responsible business controller who then had to clarify or repair these transactions. This yields two efficiency advantages: 1) because these reports are sent automatically, business controllers expect them and also have an incentive to create a process that prevents the generation of deviations. 2) The audit department periodically collects additional documentation for the errors and omissions that are found in the analyses. The informant within [redacted] acknowledges the same advantage:

(22)

22

The system automatically recognizes deviations from the norm. These deviations are then sent by the audit department to the entity that will be audited. Similarly, as illustrated below, the usage of CA works beneficial for the third and second line of defense within [redacted]:

“Due to the utilization of CA, we can create a risk profile for every process. This risk profile including the factors that influence them is shared with the responsible financial director. Entities with the highest risk profiles will get the highest number of audits. The financial director has therefore an incentive to lower his risk profile in order to have less audits.” [Manager internal audit, [redacted]]

Communicating these risk profiles to the business yields internal synergies that are beneficial for both departments. Another firm realizes internal synergies due to sharing data analyses that can be used by the business:

“[..] sometimes the business is looking for a data analysis which we can provide. We can then send our script that is coded into our CM system.” [Data analyst internal audit in the Motorcycles, Bicycles, And Parts industry]

It becomes evident that CA technology enables better collaboration between the business (1st_{and 2}nd line of defense) and the audit department (3rd_{line of defense). Additionally, as shown by informants,} CA technology enables earlier detection of abnormalities and earlier clarification by the business. In case of fraud, the following informant shows that departments are better able to work together in case of suspicion of fraudulent activities:

“Our system is also meant to detect fraud within entities of our group. If we have suspicions of fraud, we can quickly communicate with other departments to take action” [Data analyst internal audit in the Motorcycles, Bicycles, And Parts industry]

However, most CA systems are not yet ready to provide immediate assurance to transactions or documents, but the process of automatically recognizing deviations and directly asking for additional documentation helps to increase the provision on assurance on objects such as the financial statement. The provision of assurance and the collaboration with external parties will be discussed in the next section.

4.1.2 External synergies

(23)

23

“We develop our CA system in collaboration with our external accountant, they are now able to rely on some of our data-analyses” [Manager internal audit, [redacted]]

In the old situation of the [redacted], the accountant requested a dataset on which they performed data-analyses. With the implementation of their CA system, some of their analyses are replaced by the system. Since the external accountant is now able to rely on the CA system of the [redacted], cost reductions through external synergies arise. Another informant that is a former external accountant and now developing CA technology illustrates a similar motive to implement CA technology:

“The advantages of CA are difficult to quantify, but organizations are able to reduce their external accountancy costs by performing audit activities themselves in a more efficient way” [Consultant, [redacted]].

The aforementioned quote is visible within every organization that integrated CA technology within their audit process. Efficiencies through synergies with external parties arise because the external accountant are able to rely on the activities that are based on the CA system. When CA is used as an ‘auditing by exception’ method, the accountant can focus on the exceptions in the data, rather than the whole dataset. In addition, when the financial dataset is sufficiently validated, the external accountant does not need to build a dataset for his own. This is illustrated below:

“We cannot use CA for all our processes because we do not have data validation between our SAP-system and our CA system. We need to improve our change management processes for the accountant to rely on it, this is our goal for the upcoming year”. [Manager internal audit, [redacted]]

In addition:

“Usually, we perform our own analyses on the data provided by the client. However, if analyses are custom-made, the client is sometimes prefers to perform the analysis internally using their CA system. In that case, we rely on the output of the CA system” [Senior manager, [REDACTED]]

Based on the internal and external synergies that can be realized by embedding CA technology into audit processes, a reduction in monitoring costs may arise within the company. Internal audit managers as well as CA consultants do acknowledge that CA benefits are difficult to quantify but reducing pressure by external accountant is one of their motives to further improve their CA system. The following quote by the informant at the [redacted] will be the final quote of this section:

(24)

24

that CM indeed reduced the errors. [...] It also leads to lower external auditor costs” [Manager internal audit, [redacted]]

4.2 Increased audit effectiveness

Based on the interviews, it became clear that one of the managerial motives to implement CA was to increase the audit effectiveness. Three mechanisms are shown in the data to increase the effectiveness: 1) CA as an early irregularity detection system, 2) CA to increase responsiveness, 3) CA to increase the focus within audits.

4.2.1 Early irregularity detection

CA enables the early detection of irregularities or abnormalities on a transactional level. When CA is fully implemented and embedded within the organization, it allows the auditor to ‘audit by exception’, rather than auditing the whole population on irregularities. This is illustrated by the informant below: “We have a set of approximately 250 business rules that we use to detect abnormalities in the data. Subsequently, we run these analyses periodically to detect abnormalities in an early stage” [Manager internal audit, [redacted]].

Within this specific situation, [redacted] deploys its CA system as an early warning system. Furthermore, the set of 250 business rules that are embedded in the system allow [redacted] to perform ‘audit by exception’, which means that they only must clarify the exceptions in the data. Furthermore, [REDACTED] uses its CA system to detect fraud in early stages. Besides the internal synergy that arises between internal departments when fraud is detected, the audit also become more effective when fraudulent activities are detected in an early stage. Also illustrated below:

“We created a script that periodically checked whether people exchanged passwords. We had suspicions that our segregation of duties was breached because of the exchange of passwords. The script would analyze whether an invoice is signed within 20 minutes after creation, we would then check if the digital signature was placed using the same IP-address.” [Data-analyst internal audit, [redacted]]

(25)

25

“Usually, we perform analyses once or twice a year. But when clients are doing the analyses themselves using a CA system, the frequency of these analyses are much higher and therefore detect abnormalities earlier than we usually do.” [Senior manager, [redacted]]

4.2.2 Increased responsiveness

The increased ability to respond is illustrated by a developer of CA technology:

“We are building a solution that flags irregular transactions based on underlying business rules. Flagged transactions then need additional clarification from the business” [Consultant, [redacted]]

The above-mentioned solution is being built by [redacted] for the [redacted] among other non-profit organizations. The solution enables the business to enclose additional documentation for the audit department. Not only does this solution enable automated auditing by exception, it increases the capability to respond earlier to missing or wrong documentation that is enclosed by the flagged transaction. In addition, increased responsiveness can also be illustrated by the following quote:

“In case of, for example, fraud, the audit department is able to react earlier because analyses are run continuously or semi-continuously. The higher frequency of analyses enables auditors to respond earlier to abnormalities within the data” [Senior consultant, [REDACTED]]

Subsequently, auditors are enabled to focus on other matters that require their attention. 4.2.3 Increased focus

Based on the interviews in combination with the observations in firms that utilize CA technology, [redacted] motivated that it uses CA primarily to increase its focus within audits. As illustrated before, [redacted] uses its CA technology to create enterprise, entity and process-level risk profiles to steer their focus into the direction needed. In case a process within an entity has a high risk-level, the auditors will put additional focus in these processes. On the other hand, processes with a low risk-level do not need to be audited thoroughly as high-risk processes. This is illustrated below:

“Using CA, we can focus on the risks that are really there instead of spending our time good processes. This is unnecessary for our time as auditors, but also for the businesses that are audited” [Manager internal audit, [redacted]]

(26)

26

“Efficiency can be seen in the number of audits we are able to do with the same amount of people. An increase in audit-effectiveness can be seen in increase of high-risk exposures that we find. This increase can be explained because we are better capable of focusing on exceptions.” [Manager internal audit, [redacted]]

As can be seen in the above quote, the ability to focus also leads to an increase of exposed weaknesses. Generally, processes with a high amount of exceptions should receive more attention in audits, while processes with a low amount of exceptions do not. When auditors use CA and are therefore able to focus on the processes that do need attention, weaknesses are earlier exposed.

4.3 Increased audit quality

Besides reducing monitoring costs through efficiencies and increasing the effectiveness of audits, a motive to implement CA is to improve audit quality. Informants suggest that CA improves audit quality by confirming audit findings and suggest that CA is a complementary method rather than an exclusive audit method.

4.3.1 CA as complementary method

Based on the data collection in this study, CA can be seen as a complementary method to perform operational as well as financial audits. The traditional audit method contains an interim and an end-of-year audit. When organizations start using CA, audit frequency increases and other types of analyses are being made. This is illustrated below:

“Depending on the frequency and the level of risk of the transaction, we are now able to audit processes more often.[…] Furthermore, our system enables us to solve our findings more timely.” [Manager internal audit, [redacted]].

In the traditional situation, questions regarding irregularities in the data are being asked during the interim and end-of-year period. When CA is introduced, questions will be asked throughout the year and auditors can look at them more thoroughly. In addition, and as mentioned before, levering CA will improve the audit by exposing weaknesses in processes that require extra attention. [REDACTED] suggested the following:

“Using our CM/CA system, we have a better way of explaining errors and abnormalities in the data. […] We are also able to show our findings more visually” [Data analyst internal audit in the Motorcycles, Bicycles, And Parts industry]

(27)

27

(28)

28

5. Discussion

The aforementioned findings are used to give an answer to the research question that was postulated in the theoretical background. The research question is as follows: “What are the managerial motives of using continuous auditing (CA) and thereby improving audit frequency?” This section further explains the findings using the theoretical concepts that were introduced in the theoretical background. The structure of the discussion is based on the relation between the managerial motives and the theoretical concepts as depicted in the process model below. After a recapitulation of the findings based on the model below, the contribution of this study will be highlighted.

Figure 3: process model

(29)

29

department. In addition, this study shows that practitioners have trouble separating the definitions of CA and CM because of the intertwined function for the business and the audit department. It is therefore difficult to create a taxonomy wherein CA and CM function as isolated systems and are defined separately. However, prior literature attempts to define continuous auditing and continuous monitoring as separated and isolated systems that respectively function within the internal audit and business only. For example, Coderre (2006) defines CA in reference to external audit reports and state that it includes activities by auditors only. In addition, Kuhn & Sutton (2006) describe CA as a distinct subset of CM. Other research focuses on the implementation process and postulate that CM is implemented by the business and CA by the auditors (Davidson & Gerard, 2013). The aforementioned definitions of CA and CM reflect the assumption that both systems are separated and function in isolation. This study contributes by suggesting that CA and CM cannot be separated easily because they have an intertwined function in practice. Moreover, practitioners within the business and internal audit appear to use hybrid CM/CA systems. As a result, an avenue for future research arises that could focus the development of hybrid CA/CM frameworks that can be used for both the business and audit department simultaneously. Hybrid CA/CM systems may put an emphasis on the creation of internal synergies through the co-creation of such IT related control initiatives by the business and audit department.

Apart from internal synergies, the evidence of this study shows that managers adopt CA with the intention to economize on monitoring costs by collaborating more efficiently with external parties such as the external auditor. While this managerial motive is consistent with prior literature that suggest external synergy with regard to internal auditor control initiatives (Abbott, Milwaukee, & Parker, 2012; Davidson & Gerard, 2013; Rezaee et al., 2002), this study extends this stream of research by showing that external synergy is possible, but cannot be taken for granted. For the organization to reach external synergies, it must fulfill certain preconditions (e.g. data-validation and change management processes). This finding also has an implication for practitioners that want to adopt CA. Namely, for the organizations to create external synergetic benefits, close collaboration with the external auditor is required to enable external reliance on the analyses carried out by the CA system and its dataset.

(30)

30

(31)

31

6. Conclusion

The “now” economy requires information to be free from material errors, omission and fraud in order to be used as an organizational steering device (Malaescu & Sutton, 2015; Vasarhelyi et al., 2012). Quality-assuring devices such as audits should therefore be supplemented, or even replaced, by a more timely and continuous semi supervisory function (Alles et al. 2002). The shift from an ‘archival’ audit towards a more continuous audit is only minimally embraced by practitioners while it is widely embraced by academia for a long time. Prior studies on the adoption of continuous audit practices have primarily focused on technological drivers of the demand while Alles et al. (2002) suggests that auditing is a function of demand, rather than a function of technology. Therefore, this study attempts to contribute to research on continuous auditing practices by exploring managerial motives to use continuous auditing to increase audit frequency and quality. Based on a multiple case study conducted in four audit departments and three consulting firms, this study suggests several findings.

The findings of this study suggest that managers use CA to increase the organization’s audit efficiency, audit effectiveness and audit quality. Firstly, audit efficiency is increased through CA by creating synergies between internal stakeholders of the firm, and between external stakeholders and the firm. The data suggests that when firms use CA, the business and the audit department are able to collaborate more efficiently. As a result, the audit department can use its resources more efficiently and is thereby able to reduce the organization’s monitoring costs. Furthermore, external synergies are created through better collaboration between the internal audit department and the external accountant. Under certain circumstances such as valid data-validation and compliant change management processes, external auditor reliance is created for the analyses that are performed inside the internal audit department. This results in a decrease of external auditor pressure and cost. However, the data of this study also shows that external auditor reliance cannot be taken for granted because the organization must fulfill specific preconditions. Another main managerial motive to use CA is to increase audit effectiveness which subsequently results into increased audit quality. CA is a monitoring mechanism that enables auditors to detect errors, omissions and fraud in a more timely manner. Subsequently, the audit department can increase its responsiveness and therefore able to reduce the latency between the occurrence of the transaction and the provision of assurance. Furthermore, increased focus enables auditors to increase audit quality. CA enables auditors to focus on entities or processes that are considered weak. Internal auditors are then capable of focusing on processes or entities that need attention, and entities and processes that do not.

(32)

32

finding is consistent with prior literature on external auditor reliance (Davidson & Gerard, 2013; Malaescu & Sutton, 2015). However, consultants of big 4 audit firms indicated that this is only the case under specific circumstances, and that it happens not very often. Thus, the managerial motives are consistent with the literature but contradictory to practice as experienced by external auditors. Davidson and Gerard (2013) show that external auditors rely more on internal audit activities when the auditor makes use of CA, but they do not explain how to maximize the reliance of the external auditor. Similarly, neither does prior literature explain how internal auditors are able to increase the external auditor reliance on CA systems. Therefore, an avenue for future research arises. Future research could pay special attention to how organizations are able to maximize external auditor reliance using CA technology and practices. Organizations may benefit from such research since the increase in audit efficiency by collaborating with the external auditor is beneficial and can be easily quantified by measuring the decrease of external auditor pressure and costs.

Unfortunately, but alike almost every other study, this study is subject to limitations. First of all, a maximum variation sampling strategy was used as a remedy to the lack of internal auditors that use CA. The disadvantages of this sampling strategy lay in the generalizability of the results. The sample that was used consisted of three firms that implemented a form of CA, therefore, the results may not be as generalizable. Ideally, the respondents would consist of a homogeneous group of internal auditors that implemented a fully-fledged CA system. The geographical focus of this study being The Netherlands may have been detrimental for the possibility to create a homogeneous group. Considering this limitation, future research could extend the geographical scope and focus on the creation of a homogeneous group of internal auditors that have implemented CA. Additionally, this research suspects that the adoption of CA is restrained by external auditor regulatory constraints. It would be interesting to investigate whether there are cross-country regulatory differences that influence external auditor reliance on CA systems and therefore the adoption of CA.

(33)

33

(34)

34

References

Abbott, L. J., Milwaukee, W., & Parker, S. (2012). Audit Fee Reductions from Internal Audit-Provided Assistance : The Incremental Impact of Internal Audit Characteristics *. Contemporary

Accounting Research, 29(1), 94–118. https://doi.org/10.1111/j.1911-3846.2011.01072.x

Adams, M. B. (1994). Agency theory and the Internal Audit. Managerial Auditing Journal, 9(8), 8–12. Alles, M., Brennan, G., Kogan, A., & Vasarhelyi, M. A. (2006). Continuous monitoring of business

process controls: A pilot implementation of a continuous auditing system at Siemens. International Journal of Accounting Information Systems, 7(2), 137–161.

https://doi.org/10.1016/j.accinf.2005.10.004

Alles, M. G., Kogan, A., & Vasarhelyi, M. A. (2002). Feasibility and economics of continuous assurance. Auditing. A Journal of Practice and Theory, 21(1), 125–138.

https://doi.org/10.2308/aud.2002.21.1.125

Antle, R. (1982). The Auditor as an Economic Agent. Journal of Accounting Research, 20(2), 503–527. Arnold, V., Lampe, J., Masseli, J. J., & Sutton, S. G. (2000). An analysis of the market for systems

reliability assurance services. Journal of Information Systems, 14(1), 65–82.

Barr-Pulliam, D. (2018). The effect of continuous auditing and role duality on the incidence and likelihood of reporting management opportunism. Management Accounting Research. https://doi.org/10.1016/j.mar.2018.10.001

Basit, T. (2003). Manual or electronic? The role of coding in qualitative data analysis. Educational Research. https://doi.org/10.1080/0013188032000133548

Benston, G. J. (1980). The Market for Public Accounting Services : Demand , Supply and Regulation. Journal of Accounting and Public Policy, 79(9), 33–79.

Botosan, C. A. (1997). Disclosure level and the cost of equity capital. The Accounting Review, 72(3), 323–349.

Braun, R. L., & Davis, H. E. (2003). Computer‐assisted audit tools and techniques analysis and perspectives. Managerial Auditing Journal, 18(9), 725–731.

Brown, C. E., Wong, J. A., & Baldwin, A. A. (2007). Research Streams in Continuous Auditing. Journal of Emerging Technologies in Accounting, 4, 1–28.

(35)

35

Journal of Accounting Information Systems, 12(2), 152–160. https://doi.org/10.1016/j.accinf.2011.01.001

Coase, R. H. (1934). The Nature of the Firm. Economica, 4(16), 386–405.

Coderre, D. (2006). Continuous Auditing : Implications for Assurance , Monitoring , and Continuous Auditing: Implications for Assurance. The institute of internal Auditors.

Daigle, R. J., & Lampe, J. C. (2005). The level of assurance precision and associated cost demanded when providing continuous online assurance in an environment open to assurance

competition. International Journal of Information Systems, 6, 129–156. https://doi.org/10.1016/j.accinf.2004.05.001

Davidson, B. I., & Gerard, G. J. (2013). The Effect of Continuous Auditing on the Relationship between Internal Audit Sourcing and the External Auditor’s Reliance on the Internal Audit Function. Journal of Information Systems, 27(1), 41–59. https://doi.org/10.2308/isys-50430 Deangelo, L. E. (1981). Auditor size and audit quality. Journal of Accounting and Economics, 3, 183–

199.

Deloitte. (2010). Continuous monitoring and continuous auditing: From idea to implementation. Dzuranin, A. C., & Mălăescu, I. (2016). The Current State and Future Direction of IT Audit: Challenges

and Opportunities. Journal of Information Systems, 30(1), 7–20. https://doi.org/10.2308/isys-51315

Edmondson, A. M. Y. C., & Mcmanus, S. E. (2007). Methodological fit in management. Academy of Management Review, 32(4), 1155–1179.

Eisenhardt, K. M. (1989). Building Theories from Case Study Research. Academy of Management Review, 14(4), 532–550.

Elliott, R. K. (2002). Twenty-First Century Assurance. Auditing: A Journal of Practice and Theory, 21(1).

Flowerday, S., & Solms, R. Von. (2005). Continuous auditing : verifying information integrity and providing assurances for financial reports. Computer Fraud & Security, 7(July), 12–16. Gonzalez, G. C., & Hoffman, V. B. (2018). Continuous auditing’s effectiveness as a fraud deterrent.

Auditing. A Journal of Practice and Theory, 37(2), 225–247. https://doi.org/10.2308/ajpt-51828

(36)

36

Continuous Monitoring Technology. Journal of Information Systems, 26(2), 53–69. https://doi.org/10.2308/isys-50259

Hardy, C. A., & Laslett, G. (2015). Continuous Auditing and Monitoring in Practice: Lessons from Metcash’s Business Assurance Group. Journal of Information Systems, 29(2), 183–194. https://doi.org/10.2308/isys-50969

Humphrey, C., & Lee, B. (2004). The real life guide to accounting research.

Hunton, J. E., Mauldin, E. G., & Wheeler, P. R. (2008). Potential functional and dysfunctional effects of continuous monitoring. Accounting Review, 83(6), 1551–1569.

https://doi.org/10.2308/accr.2008.83.6.1551

Jensen, M. C., & Meckling, W. H. (1976). Theory of the firm: managerial behavior, agency costs and ownership structure. Journal of Financial Economics 3, 3, 305–360.

https://doi.org/10.1016/0304-405X(76)90026-X

King, R. R., & Schwartz, R. (1998). Planning Assurance Services. Auditing: A Journal of Practice & Theory, 17, 9–36.

Koch, H. S. (1981). Online Computer Auditing through Continuous and Intermittent Simulation. Misq, 5(1), 29. https://doi.org/10.2307/249156

Kogan, A., Sudit, E. F., & Vasarhelyi, M. A. (1999). Continuous Online Auditing: A program of Research. Journal of Information Systems, 13(2), 87–103. https://doi.org/10.1037//1082-989X.5.2

KPMG. (2010). Continuous Auditing en Continuous Monitoring: Levert het de beloofde voordelen op? https://doi.org/10.1002/(SICI)1520-6505(1998)6:5<178::AID-EVAN5>3.3.CO;2-P

Kuhn, & Sutton. (2006). Learning from WorldCom: through Continuous Assurance. Journal of Emerging Technologies in Accounting, 3(October), 61–80.

https://doi.org/10.1016/j.accinf.2004.01.010

Lawrence, A., Minutti-meza, M., Zhang, P., & Minutti-meza, M. (2019). Can Big 4 versus Non-Big 4 Differences in Audit-Quality Proxies Be Attributed to Client Characteristics ? The Accounting Review, 86(1), 259–286. https://doi.org/10.2308/accr.00000009

(37)

37

Masli, A., Peters, G. E., Richardson, V. J., & Manuel Sanchez, J. (2010). Examining the potential benefits of internal control monitoring technology. Accounting Review, 85(3), 1001–1034. https://doi.org/10.2308/accr.2010.85.3.1001

Mello, A. S., & Parsons, J. E. (1992). Measuring the agency cost of debt. The Journal of Finance, 47(5), 1887–1904.

Otley, D. T., & Berry, A. J. (1994). Case study research in management accounting and control. Management Accounting Research, 5, 45–65.

Parkash, M., & Venable, C. F. (1993). Auditee Incentives for Auditor Independence : The Case of Nonaudit Services. The Accounting Review, 68(1), 113–133.

Patton, M. (1990). Qualitative evaluation and research methods. SAGE Publications, Inc., 169–186. Pricewaterhousecoopers. (2006). State of the internal audit profession study: Continuous auditing

gains momentum.

Pricewaterhousecoopers. (2018). Moving at the speed of innovation: The foundational tools and talents of technology-enabled internal audit. New York, NY.

Rezaee, Z., Sharbatoghlie, A., Elam, R., & McMickle, P. . (2002). Continuous Auditing: Building automated Auditing Capability. Auditing: A Journal of Practice & Theory, 21(1).

https://doi.org/10.1007/BF00625608

Rikhardsson, P., & Dull, R. (2016). An exploratory study of the adoption, application and impacts of continuous auditing technologies in small businesses. International Journal of Accounting Information Systems, 20, 26–37. https://doi.org/10.1016/j.accinf.2016.01.003

Rynes, S. (2004). From the editors. Academy of Management Review, 47(4), 454–462.

Searcy, D. L., & Woodroof, J. B. (2003). Continuous auditing: leveraging technology. The CPA Journal, 73(5), 46.

Turner, D. T. (2010). Qualitative Interview Design : A Practical Guide for Novice Investigators. The Qualitative Report, 15(3), 754–760.

Vasarhelyi, M. A., & Alles, M. G. (2008). The “now” economy and the traditional accounting reporting model: Opportunities and challenges for AIS research. International Journal of Accounting Information Systems, 2008(9), 227–239.

(38)

38

continuous auditing by internal auditors: A micro analysis. International Journal of Accounting Information Systems, 13(3), 267–281. https://doi.org/10.1016/j.accinf.2012.06.011

Vasarhelyi, M. A., & Halper, F. B. (1989). The Continuous Audit of Online Systems. Continuous Auditing, 87–104. https://doi.org/10.1108/978-1-78743-413-420181004

Vasarhelyi, M. A., Kogan, A., & Alles, M. G. (2002). Would Continuous Auditing Have Prevented The Enron Mess? The CPA Journal, 80.

Vasarhelyi, M. A., Littley, J., & Williams, K. (2014). Continuous Auditing technology adoption in leading internal audit organizations Continuous Auditing technology adoption in leading internal audit organizations.

Venkatesh, V., Morris, M. G., Davis, G. B., & Davis, F. D. (2003). User acceptance of information technology: toward a unified view. MIS Quarterly, 27(3), 425–478.

Verkruijsse, H. (2019). Met continuous monitoring naar continuous data level assurance ; de volgende stap in interne beheersing, 369–376.

Wallace, W. A. (2004). The economic role of the audit in free and regulated markets: a look back and a look forward. Research in Accounting Regulation, 17(04), 267–298.

https://doi.org/10.1016/S1052-0457(04)17012-4

Watts, R. L. (1977). Corporate Financial Statements, A Product of the Market and Political Processes. Journal of Management, 2(1), 53–77. https://doi.org/10.1177/031289627700200104

Watts, R. L., & Zimmerman, J. L. (1983). Agency Problems , Auditing , and the Theory of the Firm : Some Evidence. The Journal of Law and Economics, 26(3), 613–633.

https://doi.org/10.1086/467051

Williamson, O. E. (2002). The Theory of the Firm as Governance Structure : From Choice to Contract. Journal of Economic Perspectives, 16(3), 171–195.

(39)

39

APPENDIX 1: Semi-structured interview

The following semi-structured interview give an overview of example questions that could have been included in the interview.

Introducing questions

1. Could you tell me something about your function within the organization? 2. What is your background with respect to your education and former experience? 3. Can you tell me something about the organization?

Generic CA questions

1. Are you aware of CA technologies? If so, how have you become aware of it? 2. Does your organizations use CA technology?

a. If yes, how would you describe the current state of CA in your organization?

b. What specific applications [i.e. combination of people, process and technology] have been implemented?

3. Technology-related questions (in case of CA use)

a. What is the degree of automation in the auditing process? What percentage of prior audit procedures have been switched from manual to automated?

b. How did the organization select the technology to adopt? What criteria were used and who had the final authorization authority?

c. Discuss the quality of the data extracted from the company's ERP, legacy or data warehouse “ready to be used” by the CA tools? How have these improved? Plans for further improvement?

d. How easy was it to extract the data from the system? What tools were used in data extraction?

4. Usage characteristics

a. What kinds of transactions can be analyzed using CA?

b. Is data extraction done in ‘real time’ or on an ‘extract and analyze’ basis? 5. Future directions

a. What is planned over the next two years to expand or improve the auditing process? b. To what extent does the current audit methodology and guidance inhibit a fuller

adoption of CA/CM tools?

c. What are the barriers to more widespread use of CA/CM technology?

6. Were the CA/CM extraction and analysis tools run by specialists or by the audit team?

Motives to use CA

1.

Which event lead to the implementation of CA technology?

a.

Was this event internal or external to the firm?

b.

Is your current use of CA technology a voluntary decision, or is it mandated?

2.

Does your organization use CA as a method to improve audit frequency and quality? 3. What are the advantages and disadvantages of CA in your organization?