Continuous Assurance for the Digital Transformation of Internal Auditing

As a result of the increasing demand on the credibility of the financial information disclosure, internal auditing has been playing an increasingly important role in organizations. Currently, there is a need to ensure the compliance of organizational transactions in real time in order to increase the reliability of the information and to reduce risks. In this context, the concept of Continuous Assurance has emerged, allowing to reduce potential errors and risks and obtain useful information in real time, supporting more effectively the decision making and internal auditing. This paper aims to understand the importance and the use of Continuous Assurance services from the perspective of the internal auditor. So, the methodology used is qualitative and the questionnaire survey was used to collect data from interna auditors in Portugal. The main results demonstrate, among other findings, that the Continuous Assurance services are considered by the internal auditors as very important. Despite this, its implementation in the organizations does not follow the importance assigned to it, and is still far from being fully deployed. The dimension of the audit department is an influential factor in the use of some Continuous Assurance services.


INTRODUCTION
In recent years we have seen constant changes: in the economy, in business transactions, in information systems, then the business environment has to adapt daily to these transformations. In this context, internal auditing has been playing an increasingly important role within organizations. The internal auditing not only verifies the accounting system and the transparency of the information provided by the financial statements, but also helps to implement control systems and fundamental procedures inherent in the activity of the organization. According to IIA (2021), internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Furthermore, with the most technological developments, auditing has also been digitally transformed, allowing the evolution of traditional auditing to a continuous and real-time auditing. Information systems have changed the way organizations operate, transactions are increasingly automated, and human intervention in these transactions also changes, notably as regards the roles, responsibilities and qualifications required. Thus, the auditor's work has also been adapted to introduce supporting technologies that provide not only reliable but real-time information on the business processes to be audited. We can explain continuous audit as a systematic process of activities that intends to provide credibility and assurance in continuous information simultaneously, or in a short period of time after the occurrence of relevant events. But despite the numerous advantages in its application, its implementation is not always easily accepted by the organization, due to the high costs of implementing the technologies and information systems necessary for its process, the lack of procedures and practices of the control system and the lack of qualified professionals in continuous auditing (Santos et al., 2019).
The Continuous Assurance concept emerged with the development of continuous auditing, based on a set of services and technologies that enable auditors to proactively conduct real-time management of transactions that are being executed simultaneously, giving them the ability to intervene in the completion of transactions, correcting them and informing those responsible for the state of execution (Vasarhelyi et al., 2010).
The main objective of this study is to explore, from the internal auditor's perspective, the degree of importance and use of Continuous Assurance services. In addition to being a recent, innovative concept and there being no evidence of the existence of studies of this type, as we may have clues in the review made, it is also a topic that may have an impact on the future of organizations, since it provides a new and broad vision in which will be the digital transformation of internal audit. Its relevance is justified by the fact that internal auditing should be a constant and active presence of the organizations, providing effective management of them. The internal auditor should be aware that transformation of the audit because it not only changes your routine as your way of thinking.
This chapter is divided into five main sections, including this introduction. Next, the literature review is presented with the main concepts and models which support this work, as well as some related works more pertinent. Then it presents the methodology that led to this research. Before the conclusions, the results are presented and discussed.

LITERATURE REVIEW Continuous Assurance
Continuous Assurance is defined as the application of emerging information and communication technologies to the standard techniques of auditing, both mandatory periodic auditing and internal auditing (Vasarhelyi et al., 2010). In that view, the same authors add that Continuous Assurance appears as a pacesetter of the digital transformation of auditing as a pioneer in the evolution of transactional auditing from manual techniques to automated methods.
Furthermore, Continuous Assurance emerges as a set of services which aims to restore the credibility of auditing, simultaneously allowing organizations to meet the requirements of regulations. Hence, it can diagnose the company's viability and allegations of fraud and illegal acts, assessing the economy, efficiency and effectiveness of organizations (Murcia et al., 2008;Vasarhelyi et al., 2010).
Moreover, Continuous Assurance has provided a change in the auditing practice for the maximum possible degree of automation. Given the emphasis on the transformation of the entire auditing system, the development of Continuous Assurance requires a fundamental reassessment of all aspects of auditing, in particular on how data is made available to the auditor, how alerts are managed, what kind of reports are issued, and how often and to whom they are sent (Marques, 2019) The terms Continuous Assurance, Continuous Auditing and Continuous Monitoring are sometimes used indiscriminately in literature. Therefore, it is crucial to understand what characterizes and distinguishes them, but mostly to understand how they can be relate to, complementing each other (Figure 1). Continuous Assurance is a statement on the adequacy and effectiveness of controls and integrity of information. Continuous monitoring of controls is at the center of Continuous Assurance strategies; however, the audit activity ensures that management activities are appropriate and effective so that organizations have a greater level of certainty about the effective operation of controls, about risk management and about the integrity of information used for decision making (Alles et al., 2003;Coderre, 2005;Kuhn and Sutton, 2006).

Figure 1.
Continuous monitoring, auditing and assurance (adapted from (Coderre, 2005)) In turn, Continuous Auditing refers to activities undertaken to provide warranty and credibility to operations, besides giving a more timely character to issues of control and management of risk. Continuous Monitoring is responsible for constantly monitoring and evaluating business transactions and their related controls, enabling a real-time view on effectiveness of controls and on integrity of transactions ( (Littley et al., 2010;Minnaar et al., 2008). Evaluating the combined results of Continuous Monitoring and audit procedures, auditors can provide Continuous Assurance. However, only recently has an effort been made to understand their differences and distinguish between the concepts.
In 2006, a survey (PricewaterhouseCoopers, 2006) concluded that Continuous Assurance triggered corporate sensitivity to its adoption because in 2005 only 35% had a continuous auditing or monitoring processes in place or were planning to develop one, and this value increased to 50% in 2006. It is interesting to observe that 56% of respondents said their continuous auditing processes include both manual and automated elements, 41% indicated their processes are entirely manual, and 3% reported having fully automated processes.
Another study by Institute of Internal Auditors and ACL (ACL, 2006) also showed similar results: 36% of surveyed organizations confirmed they implemented a Continuous Assurance approach in all their business processes or simply in some selected areas, and 39% intended to implement in the near future. However, it also states that regardless of the reasons that organizations may have had to neglect the continuing auditing in the past, the recent regulations, the stimulus for real-time monitoring and reporting of financial information and the ability to automate the traditional audit methods have strongly encouraged its adoption.
According to the subsection Related Works of this paper, we can see that the implementations designated as providers of Continuous Assurance services, in the period 2002-2019, were still few and with some limitations regarding the diversity of services that Continuous Assurance should be expected to offer. This shows that this area is still developing and maturing. Also, other studies (Marques andSantos, 2017a, 2017b) also revealed with bibliometric studies that Continuous Assurance is not mature enough and is growing.

Objectives and Components
The objectives of Continuous Assurance, making it advantageous, are divided into four levels, which are difficult to define in a mutually exclusive way, but which serve to illustrate the functional dependence of Continuous Assurance on auditing (Alles et al., 2004):  Level 1: Evaluation of Organizational Transactions -at this level, it is intended to evaluate organizational transactions, and analyze and verify the atomic actions of transactions execution. With the use of corporate systems, such as ERP (Enterprise Information System) systems, it is possible to analyze, aggregate and evaluate data in order to classify and monitor organizational transactions. At this level, input data should be tested in order to verify whether they are valid, and whether procedures in execution of transaction are consistent with the sequence of established operations Contrary to traditional auditing, with Continuous Assurance it is possible to do this check in real time due to automation and integration of audit procedures. This transaction control can use the formal specification of workflow of processes defined in the ERP systems as a standard behavior of transaction. Thus, it is possible to verify whether transactions have been executed in compliance with all provided steps to foresee the flow of transactions, and whether these are missing or failing.
 Level 2: Compliance of Performed Operations -at this level it is intended to ensure that procedures applied in the execution of organizational transactions are appropriate (for example, are consistent with the rules, norms, or standards set by the organization or by external regulatory entities).
 Level 3: Quality of Estimates and the Consistency of Aggregate Data -in some businesses, estimates and forecasts are often used because the measurement or direct determination of some information is difficult and expensive to obtain. A simple and economical alternative is to use a formal model to automatically get an estimate, then the auditor's task will be reduced only to verifying the acceptability of this model, which can be done only once and off-line, based on knowing whether the used parameter values in model are reasonable. This level of Continuous Assurance includes automation of analytical procedures based on internal and external parameters. The use of analytical procedures in an automated system of Continuous Assurance increases efficiency and effectiveness of auditing.
 Level 4: Evaluation of Organizational Decisions -the auditing carried out by using ERP systems and advanced financial instruments must incorporate complex and high-level assessments, which are especially important for decision making. Continuous Assurance and the current analytic technology allow the extensive gathering of exogenous evidence, which provides crucial input into these judgments. Continuous Assurance may use, for example data warehousing and data mining as tools that facilitate automation of some of these decisions, improving the quality of high-level decisions and decreasing the audit risk.
Continuous Assurance is divided into three distinct components, but complementary (Vasarhelyi et al., 2010):  Continuous Controls Monitoring (CCM): Consists of a set of procedures to monitor the operation of internal control mechanisms;  Continuous Data Assurance (CDA): Verifies the integrity of the data circulating in organizational information systems;  Continuous Risk Monitoring and Assessment (CRMA): Measures the risk dynamically and allows to sustain an auditing plan.

Model for Evaluating an Information System with Continuous Assurance
A model composed of four dimensions were proposed in order to evaluate an information system with Continuous Assurance services (Marques et al., 2016). It intends to be regarded as a referential set of requirements when developing this type of information systems. Marques et al. (2016) used the Delphi method to validate the model in order to ensure the relevance of inclusion of these dimensions and requirement and also a set of metrics to be included in each dimension. Furthermore, this model was successfully used in a more comprehensive research project (Marques et al., 2015).
It is composed of the dimensions Monitoring, Compliance, Estimation and Reporting, which comprise all objectives and components of a system with Continuous Assurance services (Marques et al., 2016):  Dimension Monitoring relates with the objectives of level 1 and the component CCM. In this dimension, the following metrics may be found to assess whether the system can: monitor the various operations of a process as soon as they occur; identify an irregular (unforeseen or inconsistent) operation as soon as it occurs; verify whether the operations were processed at all the previous steps as required; detect lack of operations; and assess the continuity and completeness of transactions.
 Dimension Compliance includes the features of the component CDA and the objectives of level 2. The metrics associated to this dimension aims to assess whether the system can: recognize which known execution pattern was or has been followed by each organizational transaction monitored; ascertain which rules, conditions and procedures were fulfilled and unfulfilled in the organizational transactions monitored; detect potential errors; inhibit inappropriate events or behaviors; and help compliance with existing laws, policies, norms and procedures.
 Dimension Estimation covers the objectives of level 3 and the functions of the CRMA component. The metrics of this dimension assess whether the system can: estimate, given the current situation, what the possible results of the organizational transaction execution will be; and determine the execution pattern, or a set of execution patterns, which will be possible to be followed by the organizational transactions monitored, according to the current status of execution.
 Dimension Reporting includes the features of all components and the objectives of all levels. The metrics of this dimension must assess whether the system can: report the results of the monitoring of transactions; notify the results of the verification of compliance; inform the results of estimation; and alert users of irregular situations in monitoring, compliance verification and estimation of negative results. Table 1 concisely summarizes this model, presenting quantitatively measurable metrics for each dimension.

Related Work
An organization in the steel industry with 234 industrial and commercial units, present in 10 countries and with shares in New York Stock Exchange, was forced to implement measures of Continuous Assurance in accordance with SOX requirements. After these measures, all processes had to be documented and information started to be disclosed in time and with their integrity ensured and it held the participants responsible, inhibiting the occurrence of fraud (Hargadon and Fanelli, 2002).
Siemens has made an effort in this area, and it has successfully experimented some aspects of Continuous Assurance, namely, to ensure the integrity of its ERP systems and their automated modules with audit functions. Siemens's project proposes a methodology to monitor and evaluate the daily configuration of various settings of existing controls using CCM, because about 68% of its audit activities could be fully automated. Thus, an independent system was developed for interacting with read-only operations with the existing information systems and for reporting system and alarms in case of emergency (Alles et al., 2006). These implementations have ensured the effectiveness, efficiency and a timely character to the audit procedures (Alles et al., 2006(Alles et al., , 2008. For example, the use of CCM at Siemens Financial Services enabled significant improvements in the average exception rate, through the testing and monitoring of performance analytics (e.g. input checks, validity checks, and compliance with regulations and internal policies). In some departments, the reduction in the average exception rate was over 20% in the first year of implementation.
Also, and according to Vasarhelyi et al. (2010), one of the biggest banks in Brazil, with more than 1400 branches, has implemented measures for Continuous Assurance, proving the viability and benefits of these measures. This institution has a CDA, a system which daily analyses more than five million accounts and generates about six thousand alerts a month. This system aims to increase productivity with efficiency and quality and its mission is to assess the risks and controls automatically and continuously in order to identify exceptions, anomalies, trends and indicators of risk; advise about controls, risk assessment; and contribute to the corporate governance. These features include all products, processes and services which enable data extraction and analysis. The taken approaches are of detection (routines to detect possible errors), of deterrence (routines to inhibit inappropriate behavior and events), financial (routines to reduce or avoid losses), and of compliance (routines to ensure compliance with applicable laws, policies and standards) (Vasarhelyi et al., 2010).
The audits carried out by sampling once a year are insufficient for the current business model. Thus, continuous auditing is the answer to greater effectiveness in combating fraud and errors and thus increasing investor confidence. It is important that transaction anomalies are found within organizations in real time and that their report is immediately issued (Boyda¸s and Hazar, 2021). Initially, continuous auditing software becomes a time-consuming process, as it requires a highly specialized service. However, the same modules can be used over and over again, reducing costs in the long run. Continuous auditing also allows remote access to company data, thus allowing auditors to carry out the audit outside the entity's location, thus reducing the audit cost and increasing time efficiency. The authors state that the concept of continuous audit is still not widely used by organizations, the implementation methods are still in the research phase and still have great difficulties in execution, however the continuity of research that has been verified and the development of information systems, will eliminate the difficulties of implementation and their use will be exponential (Boyda¸s and Hazar, 2021).
A study (Ezzamouri and Hulstijn, 2018) in the public sector, more specifically in some municipalities in the Netherlands, shows the opportunities and needs to continuously monitor and evaluate financial data in the social area, as these services were decentralized from the government to the municipal level. According to the study, it was found that the technology applied to continuous monitoring easily detects errors and deviations, making it easier to carry out improvement processes.
information systems applicable to any business process, regardless of its type, dimension, business area or even its information system support technology, supported by an ontological model at an abstraction level that guarantees that contextual independence. The results analysis from an implementation of this solution allowed to ensure the feasibility and the effective use of the solution.
A study was carried out in Indonesia (Soedarsono et al., 2019), inquiring taxpayers from various Ministries, with the aim of researching the effects of the quality of information and management support, for the application of a continuous auditing and monitoring in the government sector. Continuous monitoring was implemented in real time to monitor the government's financial performance and concluded that the quality of information positively affects the application of continuous auditing and continuous monitoring, namely in the availability of real-time data for each technical area, the improving financing processes and increasing human resources skills. The authors also suggest the creation of a regulation for the transition from manual preventive procedures to automatic detection controls in order to increase the effect of continuous auditing and continuous monitoring to be reported to information users and management.
At a renowned public university in the USA, a continuous monitoring system was implemented in the internal audit department, for shopping cards used by university employees (Tronto and Killingsworth, 2021). The usefulness of this implementation was to reduce the amount of documentation, and the costs associated with the analysis of this documentation, thus allowing the purchase of services and goods of reduced value to be more efficient. To reduce the risk of misuse of the card by employees, preventive actions were implemented in order to combat fraud. The project was successful, demonstrating that continuous monitoring plays a very important role in internal auditing, reducing the time required for checking transactions.

Methodology
Considering that the main objective of this study is to explore, from the internal auditor's perspective, the degree of importance and use of Continuous Assurance services. The following research questions were therefore raised: This is an exploratory study that uses a qualitative methodology. We opted for a questionnaire survey applied to professionals linked to the internal auditing function of companies of any size and of any sector of activity, between January and February 2019. The questionnaire was distributed by the social network LinkedIn. In this social network, private messages were sent to professionals who identify themselves in their profile as internal auditors in Portugal, asking them to respond to the questionnaire. In total, about 600 of these messages were sent.
The questionnaire was divided into four parts: the first was to know the profile of the respondent (age, gender, academic qualifications, possession of an auditing certification, professional experience in auditing in number of years and function.), the second was intended to characterize the company where respondent works (size of the company in which the respondent works, number of internal auditors in the company), the third was to collect data on the degree of importance of the Continuous Assurance service and the fourth part about the use of the Continuous Assurance service. The third and fourth parts were supported by the dimensions and metrics included in the information systems model for evaluating information systems with Continuous Assurance services presented above.
Regarding questions of importance and use of Continuous Assurance, a Likert Scale was used, consisting of qualitative variables with an ordinal scale of measurement in which the different categories of the scale are ordered in a graduated order, and the respondent can choose between five possible answers. Regarding the scale of response, it was used "not important", "slightly important", "moderately important", "important" and "very important" to the question of degree of importance. For the question of degree of use, it was used the options "not implemented", "rarely", "casually", "frequently" and "always".

Sample Characterization
The sample of this study consists of 91 valid answers to the questionnaire.
The first part of the questionnaire, with respect to the characterization of the respondents, shows that most of the respondents, approximately 75.82%, are between 25 and 45 years of age (36.26% between 25 and 35 years and 39.56% between 35 and 45 years). About 15.38% are in the 46-55 age group, only 5.49% are under 25 years old and 3.30% of the sample are over 55 years old. The respondents are mostly male, about 73.63% of the answers, and the remaining respondents are female.
Regarding academic qualifications, it is observed that most of the respondents, 49.45%, have an undergraduate degree. In addition, 25.27% have a postgraduate degree, 23.08% have a master's degree and only 2.20% got a PhD.
The majority of respondents do not have any audit certification, corresponding to 64.84% of the answers. It should be noted that 21.98% of the sample are CIA (Certified Internal Auditor), and this percentage is still representative. There are also CISA (Certified Information Systems Auditor) and CRMA (Certified in Risk Management Assurance) corresponding to 3.30% and 2.20% respectively, but without great impact on the total sample. The response regarding other certifications obtained 7.69% of the answers, indicating essentially internal certifications based on the activity/department of the organization in which the respondent is inserted.
Regarding the professional experience of the respondents, we found that the those who have to less than 5 years of experience and between 11 to 20 years have similar frequency, with 28.57% and 27.47%, respectively. However, most of them, about 38.46%, have between 5 and 10 years of experience, and, finally, only 5.49% worked for more than 20 years. Furthermore, 71.43% of respondents perform auditing functions, 12.09% management functions and the other administrative, financial, accounting or information systems functions.
Concerning the questions in the second part of the questionnaire which characterizes the companies where respondents work, it was found that the vast majority, around 79.12%, work in a large company, 16.48% work in a mediumsized enterprise, only 3.30% work in a small enterprise and only one respondent works in a microenterprise. The categories of micro, small and medium-sized enterprises is based on the European Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises.
With regard to the number of internal auditors working in the audit department where the respondent is inserted, the data show that 10.99% of respondents indicate that there is only one auditor in that department, 25.27% of respondents indicate that it is composed of 2 to 4 auditors, 24.18% indicate that it is composed of 5 to 10, and 39.56% of respondents say that there are more than 10 auditors working. This last finding is expected since the vast majority work in a large company.
By relating some of the variables presented previously, it is possible to obtain a more detailed characterization of the sample. For example, Table 2 shows that 52.75% of the respondents working in a large company do not have any audit certification and only 16.48% are CIA. The remaining CIA work in mediumsized enterprises (3.30%), and in small and microenterprises (1.10% each). It should be noted that the only respondent who answered the questionnaire working in a microenterprise is CIA. We can also observe that almost 65% of the respondents, regardless of the size of the company where they work, have no audit certification. This percentage is similar when we analyze the number of professionals without certification by company size. Analyzing Table 3, we found that of the 79.12% participants who work in a large company, almost half have more than 10 internal auditors in their companies. It is also clear that 5.49% of respondents working in a large company have only one auditor. It should be also noted that the respondent working in the microenterprise indicated that there are between 2 and 4 auditors and that a respondent, working in a small company, specified that there are more than 10 auditors. To answer this question, we outline a ranking for the metrics of each dimension. The choice fell on the measure of location of central tendency: mode. Mode is the most frequent value of the responses made available to the respondent. It depends only on the frequency of observations and not on their value, and is not affected by extreme values, which makes it a very robust measure (Martinez and Ferreira, 2007). Table 4 shows the distribution of the answers by the various answer options; the mode being represented in bold for every metric. The "not important" option has achieved extremely low response rates, so this means that internal auditors are aware of the importance of Continuous Assurance services.
Regarding the Monitoring dimension, the metrics "realtime identification of irregular operations" and "real-time detection of lack of operations" were considered the most important, having both obtained more than half of the respondents considering them very important. The importance attributed to this dimension by the internal auditors is very notorious. Regarding the Compliance dimension, it is important to note that the metric "ascertaining of fulfilling of rules" did not obtain any "not important" response, thus showing the concern of all auditors in complying with regulations and legislation, however, despite the mode being "very important", this ranks second, with metric "detection of potential errors" being the most important.
All metrics in the Estimation dimension were "very important" as mode, with a response frequency greater than 50%. In addition to the "real-time identification of irregular operations" metrics from the Monitoring dimension, we have the "estimation of possible results" metric, with a similar number of responses in the "very important" option (almost 60%). Of the 15 metrics considered in the study, these two are the most important in the perspective of internal auditors. We can also verify that the "real-time alert for irregular situations in monitoring, compliance verification and estimation of negative results" was considered the most important in the Reporting dimension, obtaining almost 50% of the responses.
The response options which correspond to the highest importance (important and very important) were the most frequent, allowing to confirm that the overwhelming majority of respondents are aware of the benefits that the Continuous Assurance service provides in an organization and the importance may have in the execution of the audit work. The sum of responses in these two response options is always higher than 69% in each metric, with some of them reaching close to 95% of the answers.

RQ2: What Continuous Assurance services are most used by the internal auditor?
In the same way of the previous question, we used mode to analyze the degree of use of each metric under analysis. Table 5 shows the frequency of responses obtained in each response option by dimension and metric of the model. Similarly, the mode is represented in bold. As shown in the table above, the percentage of answers "not implemented" is more significant than the "not important" in the question about importance. Thus, we immediately perceive a gap between importance and implementation.
Regardless of dimension, the most frequent answer is "frequently". In this question we no longer obtain the maximum scale "always" as the most frequent answer, and the answers were already much more distributed by the response options and not as concentrated in the two maximal scales as in the question about importance.
Analyzing now the percentage of response obtained for the answer that corresponds to Mode, it is observed that in the dimension Monitoring, there are three metrics with higher frequency of use with identical percentages, namely "Real-time verification of processing of required operations at all previous steps", "Real-time detection of lack of operations", and "Realtime monitoring of operations", both with about 40% responses.
In the same way, it is evident that, in the dimension Compliance, the "detection of potential errors" has the highest percentage in the response option that correspond to Mode, obtaining 50.55% of answers. In the Estimation dimension, the two metrics have values not too far apart, but slightly below 50%. Finally, in the Reporting dimension, the most widely used metric is " Real-time presentation of the risk estimated on determining possible execution patterns" with almost 41%.
In addition, we can further conclude that the metrics with the lowest implementation in companies are: From the ranking of the least implemented metrics, we observe that those that compose the Monitoring dimension are the least implemented and used. This result is in line with what was found in the literature by Marques and Santos (2017a), which demonstrate by a bibliometric study that research on continuous monitoring is scarce and therefore may be one of the causes of the slow growth of research on continuous assurance, and consequently its implementation. Some real-time reporting services are also the least implemented because they are a consequence of the scarce implementation of real-time monitoring, since there will be no real-time reporting without continuous monitoring.

RQ3: What factors influence the importance assigned by internal auditors to the Continuous Assurance service?
In order to answer this question, the following hypotheses were put forward and the non-parametric Chi-Square independence test was applied, which allows us to determine whether two variables are related. All the characteristics of the respondent will be tested as independent variables. That is, the hypotheses below will be applied for every independent variable.
The hypotheses considered for applying the Chi-Square test are:  H0: The importance assigned to the Continuous Assurance service is independent of the independent variable;  H1: The importance assigned to the Continuous Assurance service is dependent on the independent variable.
For simplification of the sample: in the company size, since we only obtained 3.30% of the responses of small companies and 1.10% of microenterprises, which are not significant in the total sample, but nevertheless are valid answers, we considered these answers as being of medium-sized companies. In the same line of thinking, and regarding certification in auditing, as we only obtained 3.30% CISA and 2.20% CRMA, which are not significant in the total sample, however, are valid answers, we consider the answers in the category without CIA certification. In total we have 22% CIA and 78% of non-certified respondents.
For a significance level of 5%, the decision rule depends on whether the value of Sig. is greater than 0.05. Table 6 shows the value of Sig. obtained from the Chi-Square test for each metric and independent variable. From this table, we observe that the value of Sig. is almost always greater than 0.05, so we do not reject H0. That is, the importance assigned to the Continuous Assurance service is, in general, independent of the analyzed variables. However, we detected three metrics in which the exact opposite is true:  Real-time monitoring of operations is influenced by the number of auditors -the level of importance attributed to this metric is influenced by the number of auditors within the company, a greater attribution of importance is observed when the department is made up of several internal auditors.
 Estimation of possible results is influenced by certification in internal auditing -the importance attributed to this metric is influenced by audit certification. All respondents who are CIA responded that this metric is "important" or "very important", thus certification influences the importance perceived.
 Estimation of possible results is influenced by the auditor's role -the importance is also related by the auditor's function. It is observed that almost all internal auditors, considered this metric "important" or "very important". Therefore, when an auditor exclusively assumes the internal audit as its main function, the professional gives more importance to this metric.
In these metrics, there is a dependence relation among the variables. An auditor with internal audit certification is more aware of the estimation of potential risks in the execution of his work. And the real-time monitoring of operations is performed more frequently and effectively in a department where works many internal auditors.
We can confirm that regardless of the profile of the respondents and the organization in which they are inserted, all the metrics are important, perhaps because most of them are internal auditors, and they are aware of new knowledge requirements, and they can identify the Continuous Assurance services as services that propose a continuous excellence within the organizational processes.
RQ4: What factors influence the use of the Continuous Assurance service by internal auditors?
Similar to the previous question, we also used hypotheses for the application of the Chi-Square independence test. In this case, the hypotheses which were tested by the Chi-Square:  H0: The use of the Continuous Assurance services is independent of the independent variable  H1: The use of the Continuous Assurance services is dependent of the independent variable Table 7 shows that most of the dependent variables under analysis are not influenced by the independent variables. And we can verify this fact by the value of Sig. Most variables have a value of Sig. greater than 0.05. However, it should be noted that there are some dependencies, namely:  Real-time identification of irregular operations is influenced by academic qualifications -the number of answers that do not have this metric implemented is still significant, approximately 21%, however the greater use of this one the greater the academic degree of the respondent.
 Ascertaining of fulfilling of rules is influenced by the number of internal auditors in the department -in departments with more than 5 internal auditors, there is a greater concern in the implementation of this metric, that is, the larger the audit department, the more careful they are in enforcing internal policies.
 Verification of compliance of existing policies is influenced by the number of internal auditors in the department -it is noted that the larger the internal audit department, the greater the compliance check. The high pecuniary compensation of the infractions that the company may practice may be a factor of increased concern in accordance with the law.
 Detection of potential errors is also influenced by the number of internal auditors in the department -the same is true in this metric, there is a dependency of this with the number of internal auditors in the company, somehow this metric is already implemented in the company, only about 8% of the respondents, mostly from departments until 4 auditors, answered that it has not implemented metrics in the company.
 Estimation of possible results is influenced by the number of internal auditors in the department -Only around 3% of the respondents in audit department with more than 5 auditors answered that this service is not yet implemented, and it is confirmed that the degree of use of this metric is dependent on the number of auditors in the company.
RQ5: Is the degree of importance of the Continuous Assurance service, from the internal auditor's point of view, equivalent to the degree of use of the Continuous Assurance service?
To answer this question, it was necessary to work with quantitative variables. Thus, new variables were created from the average of the dimensions, as indicated in Table 8.
In order to obtain the averages of the dimensions, each metric is quantified according to the response of the respondent based on a scale between 1 and 5. Then the average of each dimension of the degree of importance with the degree of use is added, thus forming a pair. For example, we can verify that the average of the dimension Monitoring for the degree of importance (Avg_Imp_Dim1) is 4.0484 and the average of the same dimension in the degree of use (Avg_Use_Dim1) is 3.2747 (Table 8). The second pair that corresponds to the dimension Compliance, the average of importance obtained 4.11731 and of use obtained 3.7912. In the third pair, that refers to the dimension Estimation, we obtained 4.4780 in the degree of importance and 3.6209 in the degree of use. Finally, in the dimension Reporting we obtained 4,0604 and 3,5275, for the importance and for the use respectively. From this first analysis we can already verify that the average of the degree of importance is superior to the average of the degree of use. We intended to know through the test presented below whether the two results obtained, in the degree of importance and of use are related and the degree of this relationship. Through correlation measures, the probability associated to the occurrence of a correlation determined, under the hypothesis of nullity that the variables are unrelated. The correlation coefficient represents the degree of association of the samples. Although we may find different interpretations regarding the correlation coefficient, we have defined in this question that values up to 0.5 have a low correlation. Table 9 shows a correlation between the degree of importance and the degree of use. As we can demonstrate through the obtained data, the relation is not very strong and direct, that is, there is no correlation between the importance and the use. The degree of importance is higher than the degree of use in all dimensions, which can be considered as expected, because the degree of importance is an opinion that depends only on the profile of the respondent and the level of use may depend on several other factors, namely the company profile.

CONCLUSIONS
The present study aimed to understand the importance and the use of Continuous Assurance services from the perspective of the internal service. To this end, data were collected through a questionnaire addressed to internal auditors in Portugal.
As we can see in previous sections, the number of internal auditors that make up an internal audit department is a very influential feature in determining the implementation of some metrics in the business environment. The larger the department, the greater the implementation of these metrics. In our study through the analysis performed, we can mention that the degree of importance assigned to a Continuous Assurance service by the respondent is superior to the degree of use of the Continuous Assurance services. The level of implementation and use is not very different from the percentages identified by the studies presented in the related works subsection.
We can affirm that some Continuous Assurance services are already implemented in medium and large companies and present in the professional life of the internal auditors. However, there is still a lot of work to be done to ensure that the Continuous Assurance service is fully implemented in the organizations.
The research previously done in this subject, and identified in the literature review, concluded that despite the relatively slow evolution, it can be stated that specially in the medium and large companies, most of the internal audit professionals are aware about the importance of implementing a Continuous Assurance system and that the use of some of its services is already somehow established in their daily routines.
This study has two main limitations: the geographic scope, since only responses from internal auditors in Portugal were obtained; and the size of the sample, which being small, does not allow us to generalize the conclusions obtained.
For future research, it may be interesting to study the following topics: explore the use of Continuous Assurance services by public sector entities; and in the perspective of the external auditors, identify the changes in their performance in companies which have Continuous Assurance services. In addition, it will also be interesting to apply the questionnaire periodically in order to assess the evolution of the implementation and use of Continuous Assurance services