A Case for Continuous Audit

“Audit is not about catching the past unawares; it is about preparing the organisation for what lies ahead.”

In physics, Newton’s First Law of Motion — the law of inertia — posits that an object remains at rest or in uniform motion unless acted upon by an external force. This principle is not limited to the physical sciences; it mirrors a haunting truth in corporate governance: organisations, like objects, resist change unless something — or someone — intervenes. And that someone, increasingly, must be the Internal Audit Function.

Yet ironically, internal audit itself has too long been trapped in inertia.

Most traditional audit approaches are retroactive — focused on reviewing past transactions, post-event analyses, and periodic checklists. While this backward-looking stance once sufficed, the modern business landscape, defined by real-time data, algorithmic decision-making, cyber threats, and regulatory volatility, demands a dynamic transformation.

It is time for internal audit to evolve into a continuous, technology-enabled assurance function, acting as a proactive advisor rather than a forensic historian.

Internal auditors have always been seen as the guardians of integrity, the custodians of assurance. But in a world where business decisions are made in nanoseconds and where digital platforms transact billions without human intervention, how relevant is an audit report issued 90 days after year-end?

As an auditor with over 15 years of cross-sectoral experience in Nigeria’s socio-economic sectors, I’ve seen firsthand how reactive audits fail to prevent losses. Recently, I was part of a post-mortem audit on a mid-sized manufacturing firm that had suffered a major inventory write-off due to raw material misclassification. The root cause? A new ERP configuration that internal audit had not reviewed in real time. By the time the issue was uncovered, significant millions had been lost.

This is the audit paradox: we are called to prevent what we are structurally designed to detect too late.

Enter Continuous Audit (CA) — a methodology that leverages technology to provide real-time or near real-time assurance. Supported by data analytics, RPA (robotic process automation), and AI tools, CA continuously monitors key risk indicators (KRIs), flags anomalies instantly, and empowers decision-makers with real-time insights.

This transformation is not without support from global best practices.

The Institute of Internal Auditors (IIA) in its International Professional Practices Framework (IPPF) encourages innovation and agility.

Standard 2010 states that: “The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.”

Continuous audit is the logical execution of this principle in a digitized business context.

Furthermore, Standard 1220 (A2) advises internal auditors to consider the use of computer-assisted audit techniques (CAATs). Continuous audit is the zenith of CAATs — deploying them not periodically, but continuous.

The real resistance, however, is not technical. It’s cultural.

Many audit committees and CAEs (Chief Audit Executives) still equate audit value with volume — how many issues were raised? how many controls were tested? They resist automation, fearing redundancy or loss of control. But this fear is akin to a watchman insisting on using a lantern in a world powered by surveillance drones.

The shift to continuous audit must be led by a change in mindset: that internal audit’s value lies not in merely discovering what went wrong, but in ensuring things go right in real time.

A colleague shared an experience recently; At a leading West African bank she consulted in 2022, she implemented a simple continuous monitoring dashboard that alerted the audit team when user access rights were changed outside normal working hours. Within two months, it prevented three major fraud attempts — all from terminated employees whose credentials were accidentally left active.

The lesson? Technology doesn’t replace the auditor; it amplifies the auditor.

For audit functions seeking to embrace the future, here are four key pillars to drive transformation:

1. Data-Driven Mindset: Audit teams must build competencies in data analytics and invest in tools like ACL, IDEA, Power BI, and Python-based scripts for real-time data interrogation.
2. Risk Sensing: Move from static risk registers to dynamic risk dashboards fed by continuous feeds (e.g., social media sentiment, regulatory alerts, supply chain disruption indicators).
3. Agile Reporting: Replace bulky quarterly reports with short, issue-based flash reports that deliver insight as events unfold.
4. Collaborative Governance: Work closely with IT, compliance, and operations to embed control points within business processes — rather than around them.

The Law of Inertia teaches us that unless acted upon, all systems will continue in their current state. If internal audit remains retroactive in an age of real-time threats, it risks becoming irrelevant — a vestigial function offering yesterday’s solutions to today’s problems.

To remain the trusted advisor at the decision-making table, internal audit must embrace continuous assurance, grounded in real-time insight, digital tools, and strategic foresight.

The call is clear: Evolve, or be bypassed into irrelevance!

Omoniyi Mafikuyomi, –Practises Internal Audit in Nigeria