In part 1 of this series, we discussed how continuous controls monitoring is incredibly valuable for management. In this installment of the series, we address a recurring question we hear. When chatting with clients we hear "Listen, I know our processes is broken. Why waste time monitoring it when we could spend that time fixing it? Aren't we checking the pulse of a dead patient?"
This statement does seem to have some logic to it. But it over-simplifies the situation. The reality is that monitoring your control activities is an integral part of the effort to fix them.
When we say "broken" we typically mean that the process is failing to achieve its objective. Translating this into Internal Control terminology we mean the control activities are failing to mitigate risk.
Business processes are often very complex with many steps, risks, controls, stakeholders and participants. When we say "the process" is broken we mean one or more risks are not being controlled. But which controls? Why? That information is going to be critical in determining how we fix "it".
Monitoring controls that we suspect are not functioning can tell us which controls are failing and why. This information is critical to making good decisions about how to resolve the issue:
Further, once we resolve the issue (Repair, Implement, or Remove) we will want to monitor to ensure new problems don't crop up or old ones reocur. If you go in for heart surgery, Doctors want to keep a close eye on you for some time thereafter!
How does your organization determine what expected controls are for various processes and determine which ones to monitor? Through best practices, which we discuss in part III of this series.