The majority agree – the term “continuous controls monitoring of transactions” is misleading

We now have several authoritative comments and feedback to my earlier post on this topic. It is time to draw some conclusions.

As a reminder, this was my post:

One of my regular complaints is about people who assert continuous controls monitoring is an automated technique. Sorry, but while automation can monitor transactions and changes to master data for integrity, it is not a complete solution to the monitoring of controls.

Continuous monitoring of transactions to inspect their integrity can be 100% automated, with just the review of exceptions manual.

But, the continuous monitoring of controls can only be partially achieved through automation. Consider:

• Testing transactions does not provide positive assurance that controls are present and operating effectively. They only tell you that the transactions are clean. (If the transactions are clean, you have a strong indication that controls are not present or ineffective. But monitoring is about confirming controls are present)
• Some controls (such as the review by a manager of a reconciliation, the performance of a physical inventory count, or employee understanding of the code of conduct and other key policies) do not lend themselves to automated testing

To perform continuous monitoring of controls, you need a combination of techniques: automated monitoring, automated control testing, and other tests such as surveys and manual test procedures.

Some talk about the acronym CCM/T (continuous control monitoring/transactions). This is (IMHO) wrong. You can have CM/T (continuous monitoring/transactions) and you can have CCM (continuous control monitoring) – a partly automated and partly manual process. But you can’t have CCM/T.

All but one who contributed comments agreed that the term CCM/T is at least “technically defective” (French Caldwell, from Gartner). As John Verver of ACL said, “Examination of financial or operational transactional data is not examination of the control itself”.

So what does this all mean?

In another post, I explored the different value propositions between controls monitoring and the monitoring of transactions. Each has its place, and potential users should consider which (and that may include a combination of the two) meets his/her needs.