The majority agree – the term “continuous controls monitoring of transactions” is misleading
We now have several authoritative comments and feedback to my earlier post on this topic. It is time to draw some conclusions.
As a reminder, this was my post:
One of my regular complaints is about people who assert continuous controls monitoring is an automated technique. Sorry, but while automation can monitor transactions and changes to master data for integrity, it is not a complete solution to the monitoring of controls.
Continuous monitoring of transactions to inspect their integrity can be 100% automated, with just the review of exceptions manual.
But, the continuous monitoring of controls can only be partially achieved through automation. Consider:
- Testing transactions does not provide positive assurance that controls are present and operating effectively. They only tell you that the transactions are clean. (If the transactions are clean, you have a strong indication that controls are not present or ineffective. But monitoring is about confirming controls are present)
- Some controls (such as the review by a manager of a reconciliation, the performance of a physical inventory count, or employee understanding of the code of conduct and other key policies) do not lend themselves to automated testing
To perform continuous monitoring of controls, you need a combination of techniques: automated monitoring, automated control testing, and other tests such as surveys and manual test procedures.
Some talk about the acronym CCM/T (continuous control monitoring/transactions). This is (IMHO) wrong. You can have CM/T (continuous monitoring/transactions) and you can have CCM (continuous control monitoring) – a partly automated and partly manual process. But you can’t have CCM/T.
All but one who contributed comments agreed that the term CCM/T is at least “technically defective” (French Caldwell, from Gartner). As John Verver of ACL said, “Examination of financial or operational transactional data is not examination of the control itself”.
So what does this all mean?
In another post, I explored the different value propositions between controls monitoring and the monitoring of transactions. Each has its place, and potential users should consider which (and that may include a combination of the two) meets his/her needs.
Leave a Reply
Share this blog
Recent Posts on Norman’s IIA Blog
- The Time Has Come for Marks on Governance December 14, 2017
- How to Improve Your SOX Compliance Program December 10, 2017
- The Challenge of Risky Decisions December 4, 2017
- Focusing on Internal Audit Communications November 28, 2017
- Sexual Harassment Risk, Governance, and Audit November 28, 2017
- CISOs and Many Others Need to Talk the Language of the Business November 13, 2017
- Maybe Objectives, Risk, and Controls Are the Wrong Focus November 3, 2017
- The Most Important Audits I Ever Performed October 30, 2017
- What Are the Biggest Risks for Internal Audit This Year and Next Year? October 23, 2017
- The Auditor of the Future October 16, 2017
To clarify: whem I say “the majority”, I am referring to those who provided comments on the earlier posts.
Norman, It was quite informative conversation.