A Primer on Continuous Monitoring
Here’s a simple equation from a company that churns through thousands of complex transactions every day:
Continuous auditing + continuous monitoring = continuous assurance
While researching a case study on the continuous monitoring process at Siemens Financial Services, Inc., I’ve been boning up on the difference between continuous auditing and continuous monitoring.
The difference boils down to ownership: Internal auditing owns continuous auditing while management owns continuous monitoring. The essential processes are similar: using technology – wedded to business rules – to evaluate hundreds of thousands of system transactions to determine if any errors, inaccuracies, or other issues exist.
The difference of ownership is crucial. The head of Siemens Financial Services’ controls management function says that continuous monitoring qualifies as a control.
He also points out that, unlike internal audit, his team can help spot opportunities for preventative controls and also work side by side with business process owners to institute new preventative controls (or to correct existing controls that are either insufficient or not being executed properly).
In most cases, internal audit cannot do that because of its need to maintain independence from management and business process owners.
More, much more, to come on this topic here and in the magazine. ###
July 14th, 2009 at 5:00 pm
Eric, the Siemens story is good as far as it goes. However, there is a real danger when auditing out-of-contect. What I mean by that is that you audit what you think is important, rather than doing so based on an understanding of the more critical risks to the business.
The optimal approach is to work from the organization’s strategies, goals, and objectives. Then identify risks to their achievement, and the controls in place to manage the risks within organizational tolerances.
Now build a continuous monitoring or auditing program to provide assurance that the controls you just identified are properly designed and operating effectively on a continuing basis.
Automated testing of controls only provides limited assurance, because of the nature of the controls. Some operate at the entity level (such as the code of conduct, hiring of qualified and sufficient personnel, etc.). At the process level, some controls are manual. As an example, how can you test the quality of a physical inventory observation or the depth of a manager’s review of an account/reconciliation/journal entry using an automated test.
Continuous risk and control assurance is the answer. The methodology I developed, published by SAP, and which I have successfully presented at various internal audit conferences, helps management or auditor develop a program to provide stakeholders with assurance on a continuing basis that risks are managed and controls operate effectively on a continuing basis.
Please let me know if you would like to discuss.
Leave a Comment
You must be logged in to post a comment:
Register Here or Log in Here.