Restoring auditor credibility: tertiary monitoring and logging of continuous assurance systems

Abstract

The continuing series of business scandals, from Enron to WorldCom, have undermined the credibility of auditing and auditors. In response, the SEC and the AICPA have advocated greater reliance on continuous assurance (CA), which utilizes on-line information technology to produce audit results simultaneously with, or a short period of time after, the occurrence of relevant events. In comparison with the traditional financial statements audit, CA aims to be timelier, more comprehensive, more accurate and more supportive of the management process. However, even if CA accomplishes that goal, will that be sufficient by itself to help restore investors' faith in auditing? We argue that while CA is certainly useful if the problem behind firm failure is lack of information and analysis, it is no more effective than standard auditing in a setting in which managers and auditors collude to deliberately mislead investors. Indeed, its reliance on automated analytics based on auditor- and manager-determined benchmarks makes CA especially vulnerable in the event of fraud. To overcome this potential weakness of future CA systems, we propose that they be augmented with a “black box (BB) log file” that is a read-only, third-party-controlled record of the actions of auditors, especially in regard to their interactions with management and choice of audit metric and models. Comprehensive and secure in a way that the current system of working papers is not, and accompanied by sophisticated search and analytic algorithms, the log files will serve as an “audit trail of an audit”, thus enabling an efficient and effective tertiary assurance system. We also argue that the strongest incentive to adopt logging is the replacement of SAS No. 96 with a new standard specifying that the audit documentation contained in the BB log has to be comprehensive in the sense that the auditor can rely on no other evidence but the BB log to support the issued audit opinion, e.g., in the case of litigation. Such a new standard will essentially leave it to the audit firms and to market forces to determine the extent and scope of logging, while ensuring that the intent of logging—to enhance the credibility of the audit by ensuring that it is better backed up by audit documentation—will be fulfilled.