Continuous Monitoring of Controls Is Not the Same as Inspecting the Integrity of Transactions

I continue (pun intended) to be surprised that people don't understand the difference between the continuous monitoring of controls and the continuous monitoring, or inspection, of transactions.

When people talk about continuous controls monitoring by testing payments to see if they are duplicate payments, or (to quote one vendor) by testing "the integrity of individual transactions," they are — in my opinion — getting the language all wrong. They are inspecting transactions, and not providing any assurance that controls are adequately designed or operating effectively. That is not continuous controls monitoring.

Just because transactions are "correct" doesn't mean that controls are in place or operating.

Finding errors is a strong indication of a control failure, but that is all. The nature of internal control is that it provide reasonable but not perfect assurance — just check COSO Internal Control Framework.

Internal auditors are primarily concerned with obtaining and providing assurance that controls are adequate. So, they are going to be (or should be) more interested in routines that provide assurance on a continuing basis that the controls are designed well and operating effectively. They should be less concerned, except when looking to detect fraud, with the inspection of transactions. That is a management role.

I wrote about this at length last year in a popular post on my other site (here) and my opinion hasn't changed. While the post got a lot of attention (1600 views), I still see vendors presenting transaction inspection as control monitoring.

Did I miss something? Am I wrong?

Posted on May 11, 2011 by Norman Marks

Share This Article:    

  1. Agree. Control over the day to day activities is the function of Management where as Internal Audit ensures that the control put in place by Management is adequate and effective.
  1. Somebody asked a question on LinkedIn about why it is important to understand the difference between monitoring of controls and transactions. This is what I replied:

    1. Management should consider both monitoring of transactions (a detecting control) and monitoring of controls (to have assurance they function as intended). 
    2. Internal auditors need to understand the difference. Only one provides reliable assurance on controls, although the other provides a lower level of comfort.
    3. For SOX, I would much prefer to monitor controls because that is the intent of management assurance - that the controls provide reasonable assurance.

  1.  Correction: typed "detecting control" instead of detective control

  1. Agreed.

    Just because transactions are "correct" doesn't mean that controls are in place or operating.

    However, just because the controls are in place and operating doesn't mean the underlying risk has been mitigated either.

    There is valid point about who should care, management or audit, but I observe best practice in internal audit as providing reasonable assurance AND management advice about improvement of risk monitoring and management.

    Ther is clearly a case for both control monitoring AND data and transaction monitoring. They are all valid techniques, The ambiguity is in the 'CCM' term, which perhaps whould be 're-acronymed' as "CM'.

  1. This is a very important distinction.  It is essentaily the difference between managment's role to effect controls to ensure compliance of transaction versus the auditor's role to provide assurance that those controls are being effective.

    Personally, I feel that once an auditor says that he continuously monitors say Procurement then the danager is that management will rely on the auditor to detect non-compliant transactions.  I have had it said to me that "Internal Audit is reponsible for ensuring compliance".  It is difficult to refute this when the profession has so willingly used technology to up our sampling techniques to 100% over some controls!  This is not what we are there for.

Leave a Reply