RA-006 · Research Report · 2026-05-16 · DOI 10.5281/zenodo.20185550

Audit, Compliance & RegTech

Cameisha Smith

The Inquiry

The Inquiry: What infrastructure gap explains the persistent failure of audit documentation requirements despite comprehensive professional standards, and what does the 30-year continuous auditing research tradition reveal about the conditions necessary for real-time governance assurance to become operational?

The audit profession has produced increasingly comprehensive documentation standards across five decades — from AU-C Section 230's "experienced auditor" test through the Yellow Book 2024's quality management paradigm and the EU AI Act's conformity assessment requirements. Yet AU-C 230 noncompliance remains the most common material deficiency in AICPA peer reviews, continuous auditing remains largely aspirational 35 years after Vasarhelyi & Halper's (1991) pioneering CPAS implementation at AT&T Bell Laboratories, and the shift from periodic to continuous assurance stalls at the boundary between conceptual frameworks and operational reality.

This sprint investigates whether these persistent failures share a common root cause — an infrastructure gap rather than a knowledge, training, or standards gap — and traces the continuous auditing tradition's identification of this gap across three decades of research.

Falsifiable formulation: If documentation failures are caused by training deficits rather than infrastructure absence, then training interventions should reduce AU-C 230 noncompliance rates. The persistent failure despite decades of professional emphasis, training programs, and peer review pressure refutes this alternative explanation.

Executive Summary

The substrate gap as convergent diagnosis. Three independent evidence streams converge on the same root cause. Stream 1 — professional standards: AU-C 230 noncompliance persists as the most common material deficiency (F1) despite the profession producing increasingly comprehensive documentation standards (F2, F3, F4, F5). The Yellow Book 2024's explicit shift from quality control to quality management (F3) acknowledges that reactive quality checking is insufficient — but the shift requires infrastructure the profession does not have. Stream 2 — continuous auditing research: Vasarhelyi's 35-year research program consistently identifies the same barrier: not technology, not theory, not demand, but the absence of infrastructure connecting audit systems to governance-relevant operational data (F11, F12, F13, F14). Brown et al.'s classification (F16) confirms "enabling technologies" as the weakest research stream despite mature development in all others. Stream 3 — RegTech/GRC evolution: Three generations of GRC platforms (F22) and three phases of RegTech evolution (F19) have developed the governance data consumption layer (monitoring, analytics, reporting) without solving the governance data production layer (capturing structured governance data from organizational processes).

The convergence is diagnostic: the problem is not what to monitor (standards specify this), not how to analyze (technology can do this), not why it matters (demand is established). The problem is generating the governance data in the first place — at the point of decision, with sufficient structure, in real time. This is the substrate gap.

![Figure 1. Three independent evidence streams converge on the same infrastructure diagnosis.](images/rr-006-fig-01.png)

Three simultaneous transformations. The audit landscape is undergoing convergent transformation. The temporal transformation moves from periodic to continuous assurance — driven by SAS 142's evidence modernization (F4), the Yellow Book 2024's quality management shift (F3), and IIA 2024's technology-as-obligation standard (F7). The scope transformation moves from financial auditing to enterprise governance assurance — driven by COBIT 2019's integrated governance model (F8), the EU AI Act's conformity assessment requirements (F10), and CAAI emergence (F15). The technology transformation moves from manual procedures to AI-enabled compliance — driven by RegTech evolution (F19), the hybrid intelligence model (F27), and SAS 142's recognition of automated evidence (F4).

All three transformations stall at the same boundary: the absence of governance data infrastructure. This is the unifying insight of Sprint 6.

![Figure 2. Comprehensive standards create demand for governance data infrastructure that does not exist.](images/rr-006-fig-02.png)

The Vasarhelyi lineage. The continuous auditing research tradition traces a coherent arc: CPAS demonstrated feasibility (F11, 1991) → CICA/AICPA provided the definition (F12, 1999) → Brown et al. classified the field and identified the technology gap (F16, 2007) → Alles et al. documented practical barriers in pilot implementations (F14, 2008) → Chan & Vasarhelyi formalized the paradigm, revealing what this report terms the response gap (F13, 2011) → Bumgarner & Vasarhelyi updated for big data (F17, 2018) → Minkkinen et al. extended to AI systems and found no established CAAI literature (F15, 2022). At each stage, the same infrastructure gap is identified from a different angle. The research tradition has been pointing at the same missing piece for 35 years.

![Figure 3. The continuous auditing research tradition has identified the same infrastructure gap from successive angles across 35 years.](images/rr-006-fig-03.png)

The AI audit frontier. The EU AI Act (F10) creates regulatory demand for AI audit infrastructure that Minkkinen et al. (F15) demonstrate does not exist even in conceptual form. Article 9's requirement for continuous risk management "throughout the entire lifecycle" cannot be satisfied by periodic assessment. Article 14's human oversight requirements — including authority to stop system operation — need infrastructure that captures human-AI decision interactions: who delegated authority, when AI recommendations were accepted or overridden, how oversight operated. Butler & O'Brien's (F21) finding that autonomous AI compliance decision-making remains aspirational reinforces the need: human judgment remains essential, but infrastructure to capture that judgment in the context of AI-assisted decisions does not exist.

The Deming parallel. The manufacturing quality revolution's central insight (F26) — "design quality in" rather than "inspect quality in" — maps precisely to the governance documentation problem. The audit profession has been trying to inspect documentation quality through periodic reviews (peer review, engagement quality review, quality control procedures). The Yellow Book 2024 (F3) acknowledges this is insufficient by shifting to quality management. But quality management without infrastructure that embeds documentation into the decision-making process is a mandate without a mechanism. Deming's insight applied to governance: documentation quality must be a structural property of the process, not a verification step after the process.

Abstract

AU-C Section 230 noncompliance remains the most common material deficiency in AICPA peer reviews despite five decades of increasingly comprehensive documentation standards, professional emphasis, and training programs. This report traces three independent evidence streams — professional standards evolution, the Vasarhelyi continuous auditing research program (1991–2022), and RegTech/GRC platform maturation — to a shared root cause: the absence of governance data infrastructure at the point of decision. The continuous auditing tradition has identified this same gap from successive angles across 35 years, while three generations of GRC platforms have built governance data consumption layers without solving the data production problem. The convergent diagnosis is architectural, not behavioral: current systems structurally separate documentation from decision-making, guaranteeing incomplete documentation under competing demands. The Deming quality principle — design quality in rather than inspect quality in — provides the theoretical frame for why quality management mandates remain insufficient without infrastructure that embeds documentation into the decision process itself.

"A series of auditors' reports issued virtually simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter." — CICA/AICPA (1999), Research Report on Continuous Auditing
Findings30
F-RA-006-01 · gap-identification · lab-originated
AU-C 230 noncompliance is the most common material deficiency in AICPA peer reviews, with approximately one in four engagements under enhanced oversight materially nonconforming. Three persistent failure patterns: oral reliance (auditors rely on verbal explanations rather than written documentation), sign-off without evidence (program checkmarks treated as sufficient without underlying workpapers), and missing procedure documentation (required procedures lack any documented evidence; compliance asserted from memory).
F-RA-006-02 · gap-identification · lab-originated
The "experienced auditor" test establishes a self-sufficiency standard for audit documentation (sufficient for an experienced auditor with no previous connection to understand nature, timing, extent, results, evidence) that current organizational systems systematically fail to meet. Assembly deadline 60 days; retention 5 years minimum; post-assembly modifications require documentation of reasons, timing, authorship.
F-RA-006-03 · gap-identification · lab-originated
The Yellow Book 2024 (GAO-24-106786) represents a philosophical shift from quality control to quality management — Chapter 5 retitled ("Quality Management, Engagement Quality Reviews, and Peer Review"); QM requires proactive identification of quality risks, not reactive deficiency detection. Implementation deadlines: QM system designed/implemented by Dec 15 2025; evaluated by Dec 15 2026. Introduces optional engagement quality reviews + scalability provisions; new CPE in cybersecurity, data analytics, fraud detection.
F-RA-006-04 · gap-identification · lab-originated
SAS 142 (effective Dec 2022) formally recognizes audit data analytics and automated tools and techniques as legitimate evidence-gathering methods, creating demand for evidence infrastructure without specifying the infrastructure. Innovations: ADA as formal category; broadened evidence sources (internet data, social media, automated tool output); dual-purpose procedures (risk assessment + substantive testing); principles-based evidence framework applicable to any source.
F-RA-006-05 · theoretical-grounding · established
SAS 145 (effective Dec 2023) enhances risk assessment with explicit IT controls assessment, inherent risk factors at assertion level, and a "stand-back" requirement to reassess risks after fieldwork.
F-RA-006-06 · theoretical-grounding · established
The 2024 revision of 2 CFR Part 200 raises the single audit threshold to $1,000,000, adds cybersecurity requirements to internal controls (§200.303(e), PII safeguarding), and restructures terminology from "non-federal entity" to "recipient/subrecipient." 12 standard compliance requirement types; FAC reporting via SF-SAC, 5 XLSX workbooks, PDF packages, Login.gov.
F-RA-006-07 · gap-identification · lab-originated
The IIA 2024 Global Internal Audit Standards restructure internal auditing around five domains, shift technology from "consideration" to "obligation" (CAE must strive to ensure the function has supporting technology), and fully incorporate the Three Lines Model (replacing Three Lines of Defense). Domain V addresses continuous auditing, data analytics, AI, remote auditing.
F-RA-006-08 · structural-mapping · lab-originated
COBIT 2019 organizes IT governance into 40 objectives across five domains, with the MEA (Monitor, Evaluate, Assess) domain specifically addressing continuous compliance monitoring (MEA01 conformance via KPIs/SLAs, MEA02 internal control audit, MEA03 external compliance, MEA04 managed assurance). Eleven design factors enable governance customization; governance responses must be reassessed when context changes.
F-RA-006-09 · structural-mapping · lab-originated
SOX §302 creates personal executive certification liability; §404 requires ICFR assessment; §802 imposes up to 20 years imprisonment for document destruction — even for contemplated investigations. PCAOB AS 2201 graduates deficiency severity (control deficiency → significant deficiency → material weakness, with material weakness requiring adverse ICFR opinion).
F-RA-006-10 · gap-identification · lab-originated
The EU AI Act (Regulation (EU) 2024/1689) creates the world's first comprehensive AI regulatory framework with risk-based classification, conformity assessment, continuous risk management (Art. 9, ongoing iterative process across the lifecycle), and human oversight (Art. 14, enabling overseers to understand, detect issues, stop operation). Art. 72 post-market monitoring. Full application for high-risk AI: Aug 2 2026.
F-RA-006-11 · gap-identification · lab-originated
Vasarhelyi & Halper's (1991) Continuous Process Auditing System (CPAS) at AT&T Bell Laboratories demonstrated operational continuous auditing 35 years ago (audit-by-exception, graduated alarm system, all-current-events monitoring for billing/fraud) — yet the paradigm has not propagated to the broader audit profession.
F-RA-006-12 · gap-identification · lab-originated
The CICA/AICPA (1999) Research Report provided the authoritative definition of continuous auditing as event-level, near-real-time assurance — three elements (temporal proximity; a series of auditors' reports; events underlying the subject matter) that remain unrealized. Event-level focus implies decision-level governance.
F-RA-006-13 · gap-identification · lab-originated
Chan & Vasarhelyi (2011) formalized continuous auditing as a four-stage paradigm (automation; data modeling/benchmarks; analytics for anomaly detection; continuous reporting) with seven innovation dimensions. The "response gap" — this report's term, building on their paradigm — is the structural absence of post-detection mechanisms (investigation, remediation, escalation not systematically captured).
F-RA-006-14 · root-cause-diagnosis · lab-originated
Alles, Kogan & Vasarhelyi (2008) identified data access — not technology or methodology — as the primary barrier preventing continuous auditing implementation. CCM more tractable than full CA; enterprise systems not designed for real-time audit data; data granularity double-edged (unprecedented granularity overwhelms without sophisticated analytics); organizational resistance (surveillance perception).
F-RA-006-15 · gap-identification · lab-originated
Minkkinen, Laine & Mäntymäki (2022) established that Continuous Auditing of Artificial Intelligence (CAAI) has no established literature stream despite regulatory demand. CAAI defined as a (nearly) real-time electronic support system continuously/automatically auditing an AI system for consistency with norms/standards. Framework assessment found significant gaps between existing tools and CAAI requirements.
F-RA-006-16 · convergent-validation · lab-originated
Brown, Wong & Baldwin (2007) classified continuous auditing research into five streams (demand factors; theory and guidance; enabling technologies; applications; impacts) and identified "enabling technologies" — the infrastructure connecting demand to impact — as the weakest link; this diagnosis has held nearly two decades.
F-RA-006-17 · gap-identification · lab-originated
Bumgarner & Vasarhelyi (2018) updated the CA framework for big data, referencing the AICPA Audit Data Standards (2013) — Base, General Ledger, Receivables Subledger Standards — as the profession's attempt to create data infrastructure.
F-RA-006-18 · architectural-resolution-claim · lab-originated
Dai & Vasarhelyi (2017) proposed blockchain-based accounting through triple-entry accounting (a third cryptographically sealed entry on a shared ledger) but identified scalability, integration costs, and the oracle problem as persistent barriers. Decision record integrity can be achieved through cryptographic signing and append-only logs without distributed consensus overhead.
F-RA-006-19 · gap-identification · lab-originated
Arner, Barberis & Buckley (2017) argue RegTech represents a fundamental reconceptualization of financial regulation, not merely a compliance tool. Building on their reconceptualization, this report identifies three evolutionary phases: RegTech 1.0 (automation), 2.0 (analytics-driven), 3.0 (AI-native). Distinction: FinTech serves consumers/markets; RegTech serves regulatory/compliance functions.
F-RA-006-20 · gap-identification · lab-originated
Zeranski & Sancak (2020) identified an asymmetric technology problem between regulated entities (sophisticated FinTech/AI/algorithmic trading) and supervisory agencies (comparatively primitive infrastructure), creating regulatory blind spots. SupTech defined as the supervisory counterpart to RegTech. The May 6 2010 flash crash cited as evidence.
F-RA-006-21 · gap-identification · lab-originated
Butler & O'Brien (2019) critically assessed AI for regulatory compliance, distinguishing achievable applications (NLP for regulatory text, ML for transaction monitoring, automated regulatory reporting) from aspirational ones (fully autonomous compliance decision-making). Financial institutions reportedly spend more on data than any other sector.
F-RA-006-22 · convergent-validation · lab-originated
The GRC platform industry has evolved through three generations — Gen 1 (2000s, SOX-focused compliance management); Gen 2 (2010s, integrated risk management); Gen 3 (2020s, continuous compliance with AI) — all sharing a dependency on governance data they cannot generate; all are consumption layers.
F-RA-006-23 · gap-identification · lab-originated
Delegation of Authority (DoA) frameworks suffer from three structural problems: static documentation (matrices may be outdated at decision time), enforcement gap (no mechanism verifies decisions conform to DoA requirements), and audit archaeology (auditors retrospectively reconstruct which authority level applied to which decision).
F-RA-006-24 · structural-mapping · lab-originated
Federal grant compliance represents a high-value application domain due to explicit authority structures (12 standard compliance requirement types, Activities Allowed/Unallowed through Reporting), high documentation requirements, risk-based major program determination, cross-organizational governance (federal → pass-through → subrecipient), and structured FAC reporting amenable to automation.
F-RA-006-25 · root-cause-diagnosis · lab-originated
The persistence of AU-C 230 failures despite decades of emphasis, training, and peer review pressure indicates an architectural rather than behavioral root cause: current systems structurally separate documentation from decision-making.
F-RA-006-26 · architectural-framing · lab-originated
The W. Edwards Deming quality principle — "design quality in" rather than "inspect quality in" — provides the theoretical frame for why quality management (F3) is necessary but insufficient without infrastructure that embeds quality into the decision-making process itself.
F-RA-006-27 · convergent-validation · lab-originated
The audit profession's emerging "hybrid intelligence" model — combining AI analytical capability with human professional judgment — creates demand for infrastructure capturing both components and their interactions.
F-RA-006-30 · convergent-validation · lab-originated
Three independent evidence streams — professional standards (Stream 1: F1–F5), continuous auditing research (Stream 2: F11–F14, F16), and RegTech/GRC evolution (Stream 3: F19, F22) — converge on a single root cause: the absence of infrastructure that generates structured governance data at the point of decision, in real time. This is the "substrate gap."
F-RA-006-31 · architectural-framing · lab-originated
The audit landscape is undergoing three simultaneous convergent transformations — temporal (periodic → continuous assurance), scope (financial auditing → enterprise governance assurance), and technology (manual procedures → AI-enabled compliance) — all of which stall at the same boundary: the absence of governance data infrastructure.
F-RA-006-32 · convergent-validation · lab-originated
The continuous auditing research tradition traces a coherent 35-year arc (CPAS 1991 → CICA/AICPA 1999 → Brown et al. 2007 → Alles et al. 2008 → Chan & Vasarhelyi 2011 → Bumgarner & Vasarhelyi 2018 → Minkkinen et al. 2022) in which the same infrastructure gap is identified from a different angle at each stage — "the research tradition has been pointing at the same missing piece for 35 years."
Concepts2
enabling technologies (weakest research stream)asymmetric technology problem
Open Questions6
OQ-016Does a dedicated grants compliance domain paper warrant inclusion?
OQ-017What is the current state of blockchain-based audit implementations since Dai & Vasarhelyi (2017)?
OQ-018How do ISA converge with or diverge from the substrate gap thesis?
OQ-019What specific PCAOB inspection report data quantifies AU-C 230 noncompliance rates?
OQ-020How does AuditMAI (2024) advance the CAAI infrastructure problem?
OQ-021How does the IIA GTAG series extend the technology-enabled audit infrastructure?
Bibliography25
{American Institute of Certified Public Accountants} (2023) · AU-C Section 230: Audit Documentation
(2020) · Statement on Auditing Standards No. 142: Audit Evidence
{American Institute of Certified Public Accountants} (2021) · Statement on Auditing Standards No. 145: Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
{U.S. Government Accountability Office} (2024) · Government Auditing Standards: 2024 Revision
{Institute of Internal Auditors} (2024) · Global Internal Audit Standards
(2019) · COBIT 2019 Framework
{Committee of Sponsoring Organizations of the Treadway Commission} (2013) · Internal Control---Integrated Framework
(2002) · Sarbanes-Oxley Act of 2002
{Public Company Accounting Oversight Board} (2007) · Auditing Standard No. 2201: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements
{Office of Management and Budget} (2024) · 2 CFR Part 200: Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards
(2024) · Regulation (EU) 2024/1689 of the European Parliament and of the Council (EU AI Act)
Vasarhelyi, Miklos A. and Halper, Fern B. (1991) · The Continuous Audit of Online Systems
+13 more citations