Continuous assurance auditing (CAA) is the process of installing control-related monitors in IT systems that will send audit-related signals or messages to auditors—usually internal auditors—if the IT system’s processing signals a deviation with one or another audit limit or parameter. This concept has been around since the earlier days of IT auditing when pioneer internal audit specialists developed audit monitoring tools known as Integrated Test Facilities (ITFs) or System Continuous Audit Review File (SCARF) facilities.¹ These processes date back to the days of mainframe computers and the almost primitive technology of that earlier era. Although these real-time audit monitor concepts sounded very interesting, they were seldom if ever implemented in that earlier era of batch processing and magnetic tape storage applications.

The older concepts of ITFs and SCARFs have long since evolved into CAA monitoring techniques, and while these older CAA tools and techniques are still effective, today they represent relatively advanced IT and internal audit procedures. This chapter will discuss CAA as an improved alternative approach for reviewing today’s automated systems as well as what is known as continuous monitoring (CM), business-controlled procedures that can be subject to periodic internal audits. Technology makes continuous auditing approaches much easier to implement, and evolving requirements for almost ...