What is Continuous Auditing?
ISA 330.11 permits the auditor to perform substantive procedures at an interim date, provided additional procedures cover the remaining period to reduce the risk that misstatements existing at year-end go undetected. Continuous auditing takes this permission to its logical conclusion: rather than testing one interim period and then bridging to year-end, the auditor runs recurring test cycles (weekly, monthly, or per transaction batch) across the full year.
The approach depends on access to the client's transaction data in near-real time. ISA 500.5 requires audit evidence to be sufficient and appropriate. In a continuous auditing model, that evidence comes from automated routines (scripts that flag transactions exceeding defined thresholds, duplicate payment detection, segregation-of-duties violation alerts) rather than from a sample pulled months after the fact. The auditor designs the parameters, reviews exceptions as they arise, and documents the resolution of each flagged item.
Continuous auditing is not the same as continuous monitoring, which is management's own process. The auditor's continuous auditing programme generates independent audit evidence under ISA 500. The two may use overlapping data, but the auditor must design and control the testing logic independently to satisfy ISA 500.6, which requires the auditor to consider the relevance and reliability of information used as audit evidence.
Key Points
- Continuous auditing shifts testing from a single post-year-end window to recurring cycles across the financial year.
- Firms using continuous auditing on transaction-heavy clients often reduce year-end fieldwork hours by 25% to 40%.
- The approach requires automated data feeds and exception-based logic; manual re-performance alone does not qualify.
- Audit documentation must link each interim testing cycle to the conclusions drawn at the reporting date.
Worked example: Rossi Alimentari S.p.A.
Client: Italian food production company, FY2025, revenue €67M, IFRS reporter. Rossi operates 14 production sites and processes approximately 9,000 purchase transactions per month through a centralised ERP system. The engagement team has read-only access to the ERP data warehouse via a secure API.
Step 1 — Design the continuous testing programme
The engagement partner identifies accounts payable and inventory receipts as the two assertion areas suited to continuous auditing, based on high transaction volume and a history of cut-off misstatements. The team builds two automated routines. The first flags purchase orders where the goods receipt date falls more than five business days before or after the invoice date (cut-off risk). The second flags any single purchase transaction above €50,000 without a matching approved purchase order (authorisation risk).
Documentation note: record the risk assessment under ISA 315.26 that supports the selection of these two areas for continuous testing. Document the threshold parameters, the data extraction method, and the date the routines went live.
Step 2 — Execute monthly testing cycles
From January through November 2025, the routines run on the fifth business day of each month against the prior month's transactions. In the March cycle, the cut-off routine flags 23 transactions totalling €187,000. The team investigates and determines that 19 relate to a system migration at one production site where goods receipt dates were manually entered with a two-week lag. The remaining four are legitimate cut-off errors totalling €14,200.
Documentation note: for each monthly cycle, record the number of exceptions flagged, the number investigated, the resolution of each, and any misstatements identified. Retain the data extract and the exception report as working papers.
Step 3 — Bridge to year-end
For December 2025 transactions, the team runs the routines in the first week of January 2026. The cut-off routine flags 11 transactions. The authorisation routine flags two transactions above €50,000 without matching purchase orders (combined value €118,000). The team traces both to a rush order for packaging materials placed by the operations director. One transaction (€63,000) was subsequently matched to a retrospective purchase order approved on 3 January 2026. The other (€55,000) remains unmatched. ISA 330.12 requires the auditor to perform substantive procedures that specifically address the remaining period when testing is performed at interim dates. The team extends its year-end cut-off testing to cover the unmatched transaction and the December goods receipt population.
Documentation note: document the December cycle results alongside the bridging procedures performed. Record how the continuous testing results informed the nature and extent of year-end substantive procedures per ISA 330.12.
Conclusion: the continuous auditing programme identified €14,200 in cut-off misstatements during interim cycles and one unresolved €55,000 transaction at year-end requiring further procedures, defensible because each cycle is documented with exception counts, investigation outcomes, and a traceable link between the automated parameters and the risk assessment.
Why it matters in practice
Teams deploy automated routines but fail to document the design rationale that connects each routine to an assessed risk of material misstatement. ISA 330.28 requires the auditor to document the nature, timing, and extent of further audit procedures and the linkage to assessed risks. Without that linkage, the continuous testing output is data, not audit evidence.
Engagement partners sometimes treat a clean continuous auditing cycle (no exceptions) as sufficient evidence for the tested period without considering whether the absence of exceptions itself needs evaluation. ISA 330.26 requires the auditor to evaluate whether the audit evidence obtained is sufficient and appropriate. A routine that flags nothing may indicate well-controlled transactions, or it may indicate that the parameters were set too loosely to catch genuine errors.
Continuous auditing vs. continuous monitoring
| Dimension | Continuous auditing | Continuous monitoring |
|---|---|---|
| Performed by | The external auditor (or internal audit acting in an assurance capacity) | Management or internal controls function |
| Purpose | Obtain sufficient appropriate audit evidence on an ongoing basis | Detect control exceptions and operational anomalies in real time |
| Governing standard | ISA 330, ISA 500 | COSO Internal Control Framework; no ISA governs management's process directly |
| Output | Documented audit evidence with exception investigation results | Management exception reports feeding the entity's own control environment |
| Independence requirement | The auditor must design or independently validate the testing logic per ISA 500.6 | No independence requirement; management designs its own parameters |
The two processes can run on the same data platform. What separates them is who controls the testing logic and for what purpose. An auditor who simply reviews management's continuous monitoring output without independently assessing the parameters and their operating effectiveness is performing a test of controls, not continuous auditing. That distinction determines whether the output counts as direct audit evidence or as evidence of control effectiveness that still requires corroborating substantive testing.
Related terms
Frequently asked questions
Does continuous auditing eliminate the need for year-end substantive procedures?
No. ISA 330.12 requires the auditor to perform substantive procedures that cover the remaining period between the last interim test and the reporting date. Continuous auditing reduces the volume of year-end work because most of the population has already been tested, but the auditor must still bridge to year-end and test any transactions or balances not captured by the automated cycles.
Can I rely on the client's own continuous monitoring data instead of building separate routines?
You can use the same underlying data, but ISA 500.6 requires the auditor to consider the relevance and reliability of information used as audit evidence. If the client operates its own continuous monitoring system, the auditor must evaluate the design of the client's routines, test their operating effectiveness under ISA 315, and determine whether the output constitutes sufficient appropriate audit evidence before relying on it.
How do I set the right exception thresholds for automated audit routines?
Link each threshold to performance materiality and the assessed risk for the relevant assertion. ISA 530.7 notes that the auditor determines tolerable misstatement to reduce the probability that aggregate uncorrected misstatements exceed materiality. Set the threshold low enough to catch individually significant items, then evaluate the cumulative effect of items below the threshold through sampling or analytical review.