This article is part of Achieving Audit Leadership Through Analytics and AI, a 6-article series co-written by The Internal Audit Collective and Supervizor. This series is designed for internal audit leaders who want to become more strategic, more influential, and more valuable to their organizations.
Across the series, we explore how analytics and AI can help audit teams move from findings to insight, from insight to action, and from action to stronger business ownership.
This article is Part 2. If you missed it, read Part 1: [Going from zero to one: launching an audit analytics program that actually sticks].
Coming next month: Part 3, The handoff: moving from continuous auditing to continuous monitoring owned by the business.
"If it starts to be continuous, it's not audit anymore."
- Charles King, US AI for Internal Audit Solution Leader at KPMG, IIA GAM 2026.
At first, this sounds contradictory. It makes logical sense that every organization should detect its top risks on a continuous basis – catching problems as they occur, not months later. But the traditional mandate of internal audit is inherently point-in-time: follow an audit plan, test one thing, move to the next. So where does continuous auditing actually fit?
This tension defines where many audit leaders find themselves in 2026. And the answer might be simpler – and more powerful – than you think.
The Problem: The Audit Plan That Never Changes
Let's be honest about what's really happening in most audit functions. For audit to stay relevant, it cannot keep doing what it has always done. Yet that's precisely what happens, year after year.
Your audit team spends 50 to 60 percent of their time on SOX compliance. Everything else – the operational audits, the risk-based projects, the advisory work – competes for the remaining capacity. Modern audit leaders are actively trying to reduce time spent on SOX compliance work. But here's the problem: even when they succeed in freeing up 40 percent of their time, most teams fill it with the same operational projects they audited last year. And the year before that. Procurement. Travel and expenses. Financial reporting processes. Account reconciliations.
The cycle is predictable. An audit plan gets refreshed annually with good intentions: pivot toward emerging risks, reduce compliance overhead, shift to advisory work. By March, the realities of SOX obligations, audit requests, and operational continuity push teams back into familiar patterns. The strategic pivot gets delayed another year. And another.
As Tom O'Reilly, founder of the Internal Audit Collective, puts it:
"In order for us to really be important and relevant to our company, we can't be doing the same thing that we've always done."
The irony is painful. Audit leaders want to be strategic partners. Their CFOs want them to be strategic partners. The audit committee wants them to be strategic partners. But the audit plan says otherwise.
If you're still in this cycle, article one in this series covered how to get started with analytics. But if you've moved past that point – if you've already proven value with a first analytics test – then you're ready for the next question: why would you test something just once?
The Case for Continuous: From Critiques to Providing Value
Here's the core insight: continuous auditing takes the routine projects that have always sat on audit's agenda and pushes them back where they belong – on management's agenda.
You accomplish this in two steps:
- First, you use data analytics to prove the value.
- Second, you influence management to own the analytics going forward.
When you do this successfully, something shifts. You're no longer auditing people and telling them what they did wrong. You're providing them with a tool – a platform for insight that helps them be better managers.
There's a meaningful difference between getting support and getting partnership. One sounds like: "Please cooperate with audit. Give them access." The other sounds like: "This function matters to us. Audit's here to provide us insights that will help us get better at what we do."
The first buys you compliance. The second earns you influence. And influence – the ability to shape how management thinks about risk and control – is what separates audit functions that stay relevant from those that get slowly sidelined.
When you free up time on the routine compliance work through continuous auditing, two things happen. First, you improve your brand. You're delivering value instead of delivering critiques. Second, when you turn to audit new and non-routine areas – emerging risks, go-to-market initiatives, geopolitical exposures – you don't just get support from management. You get partnership. And that partnership opens doors.
The Real-World Shift
BorgWarner's internal audit team set out with an ambitious goal: shift from a 60 percent compliance, 40 percent advisory audit plan to one where advisory work takes center stage. Mike McDonald, their Chief Audit Executive, knew the path forward ran through automation.
By implementing continuous analytics on their procure-to-pay process across 20 company codes, the team immediately proved value. They uncovered control weaknesses, identified duplicate payments, and established patterns that flagged high-risk pockets. Within the first six months, the ROI was clear.
More importantly, the shift in perception was dramatic. Instead of audit coming in to critique, audit now came in with data-driven insights that helped process owners improve their operations. The conversation changed. Compliance became partnership.
📻 Hear more about Mike McDonald's perspective in the "From Compliance to Trusted Advisor" webinar (recorded October 2025) or listening to his episode of The Audit Podcast, "How BorgWarner’s IA Drives Value Beyond Compliance".
Supervizor's AI Insights feature exemplifies this shift. Instead of surfacing a raw list of hundreds of findings, the platform auto-generates business-ready insights: key patterns, root cause analysis, and actionable recommendations. This is what moving from "issues" to "insights" actually looks like in practice.
Help the Business Act on What You Find
Audit creates more value when findings lead to better processes. Supervizor’s AI Insights feature turns large volumes of exceptions into clear insights, root causes, and recommended actions that stakeholders can actually use.
Watch AI Insights video
If You Found It Once, Why Not Run It Again?
Here's the uncomfortable reality: most analytics discoveries disappear after the audit ends. A query that surfaced something meaningful gets filed away. The next fiscal year brings a fresh audit plan, and you start from scratch. You've gained no institutional knowledge. You're not building a monitoring baseline – you're just collecting point-in-time snapshots.
Continuous auditing flips this. If something mattered enough to investigate once, it deserves a systematic look going forward. Yet most teams don't make this leap. They treat each analytics test as a one-off, tied to a specific engagement. When the project closes, the routine dies with it.
This is the bridge from point-in-time analytics to continuous auditing. It's not a dramatic leap. It's the natural question that follows a successful first test.
How to Decide: What Should Be Continuous vs. Ad Hoc
Not everything should be continuous. That's an important guardrail. Running analytics on everything creates resource traps and drowns teams in noise.
Start with materiality. Which processes carry the most financial risk or reputational exposure? A high-volume transaction area where exceptions recur – accounts payable, payroll, expense management – is a better candidate than a low-frequency, judgment-heavy process.
Next, consider feasibility. Can you access consistent data repeatedly, or does your data landscape shift between cycles? The more stable your data source, the more predictable your analytics. If your data comes from multiple legacy systems with inconsistent reporting, continuous monitoring becomes messy. If data flows from a stable ERP or data warehouse, it's feasible.
Finally, ask whether anyone will actually use the insights. This matters more than the analytics themselves. If your first-line stakeholder is overwhelmed, skeptical, or too stretched to investigate findings, continuous monitoring becomes a drain instead of a partnership.
The output structure deserves special attention. Insights win. Exception lists lose. Frame your continuous analytics to highlight patterns and root causes, not raw issues. If you surface 200 exceptions monthly and dump them on finance, you've lost credibility. If you surface three key insights – patterns, trends, recommendations – you've earned trust.
What Continuous Auditing Actually Means
There's a misconception that 'continuous' means real-time or daily. It doesn't. It means systematic – running the same check repeatedly on a predictable cadence so you build a trend line instead of isolated snapshots.
The frequency depends on the risk and the business rhythm. Duplicate invoice detection might run weekly because invoices flow constantly. A segregation-of-duties review might run monthly because user access changes are batch-processed. A cash disbursement exception check might run quarterly because that's when you have enough transaction volume to spot patterns. The key is consistency, not speed.
More importantly, you need to decide upfront who owns the responsibility when results come back. Does finance review the output? Does the process owner? Does audit? Who investigates when something looks wrong? And critically – who decides when an insight is material enough to escalate and act on?
These operational details matter far more than the tool you're using. A sophisticated analytics platform run by unclear owners will create chaos. Simple analytics with clear accountability will drive change. Be ruthlessly clear about the handoff: when audit surfaces an insight, who takes it from there? What's the timeline for response? When does it bubble up to leadership?
The Maturity Arc: Three Phases
There are three key phases for a company to grow from a state of ad-hoc auditing to continuous monitoring.
Most audit teams naturally progress through stages. Early on, analytics are attached to specific audit engagements – useful, but temporary. They prove a concept. Over time, teams that keep the momentum going move toward repeatable routines: the same check runs monthly or quarterly, building a historical baseline and revealing patterns over time. That's continuous auditing.
The final stage – and the hardest to reach – is when the business takes over these routines entirely. Audit steps back and audits the process itself, not the transactions. This handoff is where real strategic capacity opens up.
The progression isn't about better technology. It's about persuasion. Can you convince management that they should own the routine? That's the leadership challenge. As Tom O'Reilly notes:
"How you grow in that maturity model is by the internal audit team's ability to influence and persuade – not about the technical capabilities of the continuous monitoring aspect."
It's leadership, not technology. It's your ability to build trust, deliver value, and convince management that they should own the routine. Tools enable it, but people drive it.
Signs It's Working vs. Signs It's Not
The clearest signal that continuous auditing is working is when the business starts pulling you toward the data before you push it to them. They're asking questions. They want to understand trends. Exceptions are trending down because remediation is actually happening, not because you've stopped looking. Process owners are fixing root causes, not just individual items.
The opposite picture is equally clear. Nobody opens your reports. The same exceptions show up month after month with no investigation. Process owners treat your findings as noise. That's feedback that your analytics aren't aligned with what the business actually cares about.
False positives aren't a failure – they're feedback. Better to deal with noise in your continuous monitoring than to miss a material issue because you're not looking.
The Natural Transition
Once you've built repeatable analytics and proven they deliver value, the next question is inevitable: how do you hand this off to the business? That's the move from continuous *auditing* to continuous *monitoring*, and it's where audit truly becomes a strategic partner instead of a compliance function.
That's the focus of article 3 in this series. For now, understand that continuous auditing is the bridge - the place where audit proves it can deliver ongoing value, build trust, and free up capacity for the strategic work that keeps your CEO up at night.
.jpg){kind=icon}