The difference between continuous controls monitoring and the continuous inspection of transactions
Continuing some thoughts from my earlier blog, there are major differences between continuous control monitoring on the one hand, and the continuous monitoring or inspection of transactions on the other. Each has a role and adds value in different ways.
(By the way, for the purposes of this discussion, I will include in ‘transactions’ activities such as changes to master files, changes to systems access privileges, intrusion attempts, etc.)
(Also by the way, and contrary to some stated beliefs, neither continuous control monitoring nor continuous transaction monitoring is limited either to the purpose of assuring compliance or to the monitoring of financial transactions and controls. They both apply to all controls and all transactions and activities. Companies have been performing continuous monitoring for operational risks, controls, and activities for decades.)
The IIA’s Global Technology Guide on Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment (written by continuous auditing pioneer David Coderre, with expert assistance from John Verver of ACL Services and Professor Donald Warren of the Center for Continuous Auditing at Rutgers University) defines continuous monitoring as:
“… a process that management puts in place to ensure that its policies, procedures, and business processes are operating effectively.“
This is a sound definition. Note that the purpose of continuous monitoring is to obtain assurance that the “policies, procedures, and business processes are operating effectively”.
So, this generally-accepted definition of continuous monitoring is really the same as continuous control monitoring. It consists of activities focused on obtaining assurance that controls are operating the way they should.
On the other hand, the continuous inspection or monitoring of transactions is focused on testing transactions for integrity after they have been processed. Management uses technology to capture selected transactions and verify that they are correct. The intent is to detect errors, either to identify potential fraud or error, or to identify the need for process improvements (to prevent additional errors).
There is a great deal of difference between tests that are intended to confirm controls are in place and tests that inspect transactions after-the-fact to ensure they are valid and correct. Transactions can be correct, even if nobody is checking that they are correct. Likewise, controls may be in place but because they only provide a reasonable level of assurance, some number of flawed transactions can slip through.
Transaction monitoring is a detective control designed to catch flawed transactions.
Controls can be preventive or detective. Management will select the combination most appropriate for its organization, considering risks and costs. In some cases, such as customer invoicing, the emphasis will be on preventive because of the potential damage that would be created by issuing erroneous invoices. In other situations, such as the payment of invoices under $100, management might rely on detective controls or a combination of preventive and detective controls.
One way to describe the difference between preventive controls and (detective) transaction inspection is by considering the topic of ‘quality’ in manufacturing and other processes. The famed W. Edwards Deming said: “You cannot inspect quality into the product.” Experts in quality management consider inspection as the last chance to capture quality problems. Relying on inspections to ensure you have quality products is a high risk and low efficiency gamble. They focus on ensuring the manufacturing process is reliable and produces a quality product. Controls during the design and manufacturing processes provide that assurance. If inspection is detecting issues, that means they have deficient processes and preventive controls – and reworking or scrapping manufactured products is expensive.
Internal auditors focus on controls and not just transactions, because effective controls provide assurance that future transactions will be handled properly. The monitoring of transactions will only detect problems after they have occurred.
I think the value of continuous control monitoring is clear. By providing assurance that the controls are in place and operating effectively, management has confidence that the business is being run, transactions processed, and results reported correctly.
The value of continuous transaction monitoring is also clear – and different.
- It is a detective control that management may place significant reliance on. When the inspection is automated, the cost relative to alternative manual controls may justify at least a partial shift from preventive to detective. It also helps if the detection can be performed promptly, minimizing the delay between processing a transaction and detecting an error
- When considering the risk of fraud, it is important to have both effective preventive controls and detection procedures (in case the controls are circumvented). Continuous transaction monitoring provides a detective control in case preventive controls are ineffective or are bypassed (e.g., through collusion)
- In some cases, complex testing may be required to detect an error. For example, financial systems have long found it difficult to detect and prevent duplicate payments. Because the risk (in terms of the size of any single payment) is relatively low, it may be wise to accept the limitations of the financial system and rely on more thorough testing after-the-fact
- Testing some controls with automation can be difficult (see my earlier blogs on continuous auditing and my paper on continuous risk and control assurance). Testing transactions may provide sufficient assurance for low risk controls
So what does this all mean?
- There is no such thing as continuous control monitoring/transactions. There is either continuous control monitoring, or continuous transaction monitoring. Both can relate to any type of control or transaction, for the purpose of managing any form of risk (i.e., this is not limited to testing for the purposes of compliance, or to financial controls and transactions)
- Continuous transaction monitoring is a powerful detective control that should be considered in the design of internal controls, especially relative to fraud detection
- Continuous control monitoring provides assurance that controls are in place to prevent or detect future transactions
- When designing a continuous monitoring or auditing program, consider the strengths and weaknesses of both. Refer to my paper for more on this topic.