Continuous monitoring

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization's financial and operational environment.[1] The financial and operational environment consists of people, processes, and systems working together to support efficient and effective operations. Controls are put in place to address risks within these components. Through continuous monitoring of the operations and controls, weak or poorly designed or implemented controls can be corrected or replaced – thus enhancing the organization's operational risk profile. Investors, governments, the public and other stakeholders continue to increase their demands for more effective corporate governance and business transparency.


Continuous monitoring can be traced back to its roots in traditional auditing processes. It goes further than a traditional periodic snapshot audit by putting in place continuous monitoring of transactions and controls so that weak or poorly designed or implemented controls can be corrected or replaced sooner rather than later.


Effective corporate governance requires directors and senior management overseeing the organization with a broader and deeper perspective than in the past. Organizations must demonstrate they are not only profitable but also ethical, in compliance with a myriad of regulations, and are addressing sustainability.

To be effective, those involved in the organizational governance process must take an enterprise wide view of where the organization has been, where it is and where it could and should be going. This enterprise wide view also must include consideration of the global, national and local economies, the strengths and weaknesses of the organization's culture, and how the organization approaches managing risk.

Risk management[edit]

Managing risk involves actions beyond establishing and communicating policies and procedures at a high level. It includes understanding the need for (and exercising) both qualitative and quantitative judgment at the governance and operational level on a routine basis (including having an effective system of internal control). The Sarbanes-Oxley Act of 2002 [2] created new and higher level requirements for organizations to establish effective internal controls and to assure compliance on an ongoing basis.

As organizations have set about to institute compliance programs they have learned they must come up with new methods for maintaining that compliance. Continuous monitoring is part of the solution. It can be a key component of carrying out the quantitative judgment part of an organization's overall enterprise risk management.

Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organizations financial and operational activities. It actively identifies, quantifies and reports control failures such as duplicate vendor or customer records, duplicate payments, and transactions that fall outside of approved parameters. A by-product of continuous monitoring is it highlights opportunities to improve operational processes.

Potential benefits[edit]

Timely identification of problems or weaknesses and quick corrective action can help reduce the cost of any required periodic financial, regulatory, and operational reviews to a reasonable level. A Financial Executives International (FEI) March 2005 survey indicated it could cost an average of $4.36 million for a company to test for and ensure year-one compliance with Sarbanes-Oxley Act Section 404.[3] Continuous monitoring typically includes solutions that address the three operational disciplines known as

  • continuous audit
  • continuous controls monitoring
  • continuous transaction inspection

Continuous monitoring systems can examine 100% of transactions and data processed in different applications and databases. The continuous monitoring systems can test for inconsistencies, duplication, errors, policy violations, missing approvals, incomplete data, dollar or volume limit errors, or other possible breakdowns in internal controls. Testing can be done for processes like payroll, sales order processing, purchasing and payables processing including travel and entertainment expenses and purchasing cards, and inventory transactions.


  1. ^ Joint Task Force Transformation Initiative (2010). "SP 800-37 Rev. 1. Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach". Gaithersburg, MD, USA. Cite journal requires |journal= (help)
  2. ^ "The Sarbanes-Oxley Act 2002". Retrieved 2012-08-07.
  3. ^ "Sarbanes-Oxley Act Section 404. Sarbanes Oxley 404 Made Easier". Archived from the original on 2012-08-06. Retrieved 2012-08-07.