Skip to main content

In my recent ISACA Journal Article (Vol. 2, 2015) I presented a review and pragmatic steps for the implementation of continuous control monitoring (CCM) for IT general controls. My approach has now been considered in a number of implementations for use across enterprise IT general controls.

My CCM approach starts with a top-down analysis of control objectives to determine which formal assertions to test. Some of the implementers have reported that they took more of a bottom-up approach to look at the data, what could be done with them and what assertions were possible.

In many organizations, IT operations support systems have poor data quality and do not lend themselves to a top-down approach. In these cases, a more pragmatic approach would be to start with the existing operational key performance indicators (KPIs) or metrics reporting and identify how they could also be used for control assurance. CCM implementers have reported that the lack of data quality was a significant factor in determining the scope of CCM. A lack of policies and procedures related to the use of IT operations support systems, a lack of data dictionary and lack of data management within these systems seem to be severe limitations.

Implementations also struggle with selecting a tool set for CCM. Some implementations take a tactical approach and used Microsoft tools in order to balance the sometimes conflicting objectives of value-added reporting, ease of development, and complex data manipulation and data cleansing. Other implementations develop a shadow copy of the IT operations support systems, which will need appropriate infrastructure and operational management. Generally, implementers still needed to rely on some professional judgment for control assertions that couldn’t automate.

Some questions for further study are:

Is a top-down or bottom-up approach more useful?
How do we deal with poor data quality in IT operations support systems?
What architecture and tool sets are being used for CCM?
Shoule we “go it alone” or trying to build production-grade systems?
Are we able to replace control assurance completely with CCM for any controls?