（2005）Continuous Monitoring：A Strategy for more Effective Controls.pdfVIP

Continuous Monitoring A Strategy for more Effective Controls John Hughes IT Audit Systems Consultant Satori Group Australia Continuous Controls Monitoring • The need for continuous controls monitoring • Conceptual model for continuous controls monitoring • Types of controls that can be continuously monitored through technology • Methodology for automated continuous controls monitoring • Practical implementation issues The Need for Continuous Controls Monitoring • Continuous monitoring and auditing – Discussed for many years – Progress made – but limited • Regulatory Compliance now driving the need – How to efficiently and cost effectively sustain controls assessment and testing efforts? – How to know on a timely basis when control deficiencies occur? – How to quantify the impact of control deficiencies? – How to improve effectiveness of controls – How to gain assurance over effectiveness of controls Model for Continuous Monitoring of Controls • Identify the control rule for each internal control point (using COSO framework) • Establish tests that, using transactional data analysis, will validate each control rule • Establish tests that will identify suspect transactions, using transactional profiling techniques • Subject all transactions to a suite of tests on a regular, timely basis • Identify all transactions that fail the tests • Notify the appropriate personnel • Investigate any transactions that fail and, as appropriate, – Correct the transactions – Correct the control problem Continuous Monitoring Model Data Data Data Access transactional data from disparate sources Transactional Data