One of the responsibilities of line management in many organisations (particularly in financial services) is to provide assurance to the chief executive officer (CEO) and executives that high-rated risk factors are managed and that appropriate controls are in place and operating effectively. With increases in the regulatory regime, increasing technology complexity and pressures on cost, organisations are seeking productivity improvements in the evaluation of the performance of internal controls. One method of productivity improvement is applying technology to allow near continuous (or at least high-frequency) monitoring of control operating effectiveness, known as continuous controls monitoring (CCM). CCM is a subset of continuous assurance, alongside continuous data assurance (verifying the integrity of data flowing through systems) and continuous risk monitoring and assessment (dynamically measuring risk).
Improved management and monitoring of controls through CCM (and associated risk management activities) may reduce the extent to which audit and assurance staff need to undertake annual detailed testing of controls. In addition to cost reductions through improved efficiency and effectiveness (see above figure 1), other benefits include increased test coverage (through greater sampling and the ability to do more with the same or less labour), improved timeliness of testing, reduced risk velocity and potentially reduced remediation cost, greater visibility (when included in a governance, risk and compliance [GRC] solution), improved consistency, and the ability to identify trends. CCM also allows the replacement of manual, error-prone preventive controls with automated detective controls in which this would reduce the risk profile.
The steps for implementing CCM include:
- Identify potential processes or controls according to industry frameworks such as COSO, COBIT 5 and ITIL; define the scope of control assurance based on business and IT risk assessments; and establish priority controls for continuous monitoring.
- Identify the control objectives (or goals) and key assurance assertions for each control objective. (Guidelines for the formalisation of assertions may need to be developed as the concept of formal assertions is not well developed within IT risk).
- Define a series of automated tests (or metrics) that will highlight (or suggest) success or failure of each assertion using a “reasonable person holistic review.”
- Determine the process frequencies in order to conduct the tests at a point in time close to when the transactions or processes occur.
- Create processes for managing the generated alarms, including communicating and investigating any failed assertions and ultimately correcting the control weakness.