Being audited is hard work! Managers spend a lot of time getting prepared, answering questions and generally feel like they are under a microscope. Despite this, most acknowledge that audits are valuable. How can you get the benefits that audits provide without the pain? Continuous Controls Monitoring (sometimes referred to by the acronym CCM or just shortened to continuous monitoring)!
To understand why this is true, we need to understand a bit about the similarities and differences between audits and CCM.
Both include the performance of assessments. One difference is ownership of the assessment process – the auditor is responsible for auditing, while monitoring is owned by management. You could say monitoring is auditing performed by management. CCM also provides several benefits.
Easier (and Cheaper) Audits
Continuous controls monitoring and external audit often directly impact each other. If you have an undocumented, unmonitored set of internal control activities, you should expect your external auditor to perform extensive sampling and testing. That leads to increased time and effort for the auditor, increased professional fees and increased support work for you.
Contrast that with an organization who has very strong monitoring of their internal controls, excellent documentation of the exceptions found and their remediation. Your auditor can review this evidence of your strong internal control system and conclude that there is minimal risk. That means less testing and time on their part, reduced professional fees and less work for you.
With continuous monitoring, your audit reports can change from a laundry list of errors made throughout the prior year to a discussion of improvements in your management and control processes to better prevent, detect and remediate errors in the future.
Timely and Efficient Management
In addition to reducing the number of tests being performed (which should yield less expensive audits), continuous monitoring provides another significant benefit - timeliness.
CCM occurs alongside business processes, so identified issues can be addressed proactively before it becomes a major (public) problem. Consider the difference between:
- finding and putting a hold on a suspected duplicate invoice payment before it is paid vs.
- detecting the payment months after it has occurred during an audit and then trying to recover funds from the vendor.
By monitoring your internal control activities continuously, you have the opportunity to manage your processes as they are happening, rather than retrospectively.
Check out the second part of this blog series to find out why continuous monitoring is even more important when we know controls are broken.