Continuous monitoring process
The IIA defines continuous monitoring as “the process that management puts in place to ensure that policies, procedures and business processes are operating effectively. It typically addresses management’s responsibility to assess the adequacy and effectiveness of controls.”
Key to this kind of monitoring is for management to own and perform the process as part of its responsibility to implement and maintain an effective control environment. Since management is responsible for internal controls, it should have a means to determine, on an ongoing basis, whether the controls are operating as designed.
By being able to identify and correct control problems on a timely basis, the organization’s overall control environment can improve. A typical additional benefit to the organization is that instances of error and fraud are significantly reduced, operational efficiency is enhanced, and bottom-line results are improved through a combination of cost savings and a reduction in overpayments and revenue leakage. Monitoring can be achieved through automated technology or through manual processes and procedures.
But before deciding on which approach to take, the key is for management to determine what works best for the organization to achieve the ultimate goal: strengthening the control environment.
This goal is in line with the definition of internal auditing, which says the function should help “an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
When an organization effectively implements the monitoring processes, the amount of detailed testing required by internal auditors decreases. This further allows the internal audit function to employ a risk-based audit approach and focus on areas of the organization with the greatest need.
Continuous monitoring may be instrumental to detection of fraud.