Continuous auditing and continuous monitoring are one of the most misunderstood and under-utilized concepts in business. While continuous auditing and continuous monitoring, or CA and CM, may be two distinct concepts, they operate under the same development umbrella. When institutions design, build and implement them correctly, both can deliver targeted and dynamic results.
To leverage the power of this methodology, bankers should start by understanding the overlooked differences between the two approaches. Continuous auditing and continuous monitoring are two distinct disciplines.
The first key difference between the two is frequency. A confusing aspect of the CACM methodology is the name. Everyone hears the word “continuous” and believes this type of work goes on forever, without any consideration. That could not be further from the truth. Continuous auditing has a distinct start and finish; in contrast, continuous monitoring can be started and stopped at any time and has no set length of execution.
Like any type of formalized testing, a CA program must contain a time frame in which the work will be performed so a conclusion on the control effectiveness for the same period can be made. Conversely, a CM program can be started, stopped and restarted again for any length of time because it is not being executed to provide a conclusion on the control environment. Rather, it delivers an indication that a specific control or set of controls produces the expected results within acceptable performance limits.
The second key distinction is the testing specifics. The CA approach has detailed control process descriptions that provide information to develop the corresponding steps to be reperformed — in order to confirm the results. In contrast, the CM approach selects a control or controls and verifies the outcomes are within the acceptable limits of the business process requirements. At no time does a CM review, examine or reperform the control steps to validate results. The only information obtained and examined in the CM review is the result. If those results are within the acceptable control parameters, there is no additional verification performed. The CA approach provides a more comprehensive validation of the control environment compared to the CM approach.
Common Uses for the CACM Methodology
One of the most appealing aspects of the CACM methodology is that it can be applied to any business process in any industry. However, there are considerations to include in the evaluation process before selecting your target business processes. The most effective way to communicate these considerations is not by telling you the best business processes to target, but providing you with the business areas that should be avoided when developing your CACM methodology.
This does sound contradictory, but to avoid methodological pitfalls, there are limitations to consider when selecting a target CACM area. While you can apply the CACM methodology to any process, in any industry, it is important to consider using a new methodology to proactively validate your existing control environment and identify potential future challenges.
To do that, there are two areas to avoid when selecting your target CACM business processes: complexity and judgment. Regarding complexity, the methodology is going to ask you to identify the most critical control or controls in the process that directly impact the outcome. It will be difficult, if not impossible, to identify one or two critical controls in any complex business process. With judgment, the process allows for overrides, which potentially creates false positives in the CACM. Even with detailed approval guidelines, the subjective nature of the process makes it a challenging selection for a CACM.
At Baker Tilly, we recommend banks incorporate CACM into their compliance business process. Most compliance processes have very specific, detailed and documented process requirements with almost zero judgment. Compliance rules and regulations do not provide a significant amount of grey area. Those types of processes make it easier to incorporate your CACM process because the business requirements are clear and you will have an easier time selecting the most critical control points.
Continuous auditing and continuous monitoring provides organizations with a proactive review approach that help identify potential control breakdowns. This proactive approach allows organizations to enhance their current control environment, strengthen their compliance processes, mitigate risk and build a stronger business culture to mitigate risk and potentially eliminate future losses.