Continuous controls monitoring – grossly misunderstood!
One of my regular complaints is about people who assert continuous controls monitoring is an automated technique. Sorry, but while automation can monitor transactions and changes to master data for integrity, it is not a complete solution to the monitoring of controls.
Continuous monitoring of transactions to inspect their integrity can be 100% automated, with just the review of exceptions manual.
But, the continuous monitoring of controls can only be partially achieved through automation. Consider:
- Testing transactions does not provide positive assurance that controls are present and operating effectively. They only tell you that the transactions are clean. (If the transactions are clean, you have a strong indication that controls are not present or ineffective. But monitoring is about confirming controls are present)
- Some controls (such as the review by a manager of a reconciliation, the performance of a physical inventory count, or employee understanding of the code of conduct and other key policies) do not lend themselves to automated testing
To perform continuous monitoring of controls, you need a combination of techniques: automated monitoring, automated control testing, and other tests such as surveys and manual test procedures.
Some talk about the acronym CCM/T (continuous control monitoring/transactions). This is (IMHO) wrong. You can have CM/T (continuous monitoring/transactions) and you can have CCM (continuous control monitoring) – a partly automated and partly manual process. But you can’t have CCM/T.