Continuous Controls Monitoring and Continuous Auditing

Continuous Controls Monitoring and Continuous
Auditing – an integrated technology approach
John Verver CA, CISA, CMC
VP Professional Services
ACL Services Ltd
Continuous Controls Monitoring and Continuous Auditing
 Definitions, Distinctions, Relationships
An integrated approach for CCM and CA
Management role and activities
Audit’s role and activities
Technology requirements
Continuous Auditing
Shift from traditional approach of periodic cyclical audit
Method used to automatically perform audit procedures
on an ongoing basis
Allows audit to provide ongoing risk and control
Technology is key
Continuous Controls Monitoring
Process performed by management to determine
whether policies and controls are operating effectively
Establishes control objectives and assurance assertions
– and uses automated tests to identify activities and
transactions that fail to comply with controls
Allows management to fix control problems on a timely
basis – improves controls and improves operational
Technology is key
CA and CCM – an integrated approach
Many of the techniques used in CA and CCM are similar
How can both approaches be integrated and how does
this affect roles and responsibilities of audit and
CA and CCM – an integrated approach
CA and CCM – an integrated approach
Effective use of automated continuous auditing and
controls monitoring techniques can substantially reduce
the time required for ERM activities and controls testing
Helps to make it clear to management that they – and
not audit - are primarily responsible for determining
effectiveness of controls
Audit (internal and external) needs to be able to rely
upon the integrity of the Continuous Controls Monitoring
Audit reliance on Continuous Controls
Validation of control monitoring tests
 Design
 Processing
Security over access to the CCM system
Security over changes to tests and test parameters
Processing audit trail
Follow up procedures – response to control deficiencies
Technology requirements for Integrated
Comprehensive range of standard control tests
Configurability of additional tests
Ad hoc analysis to support CCM and CA process
Ability to access and monitor data, transactions and
activities from across the enterprise
Security and control over CCM process
Auditability of CCM process
Integration with ERM software
ACL Experience
Increasing recognition by internal audit and operational
management that CCM process should be owned by
Internal audit designing procedures around CCM
External auditing firms beginning to consider issues of
CCM audit reliance – security and control of CCM
process a significant concern
ROI argument for CCM repeatedly validated