A number of vendors offer solutions for continuous controls monitoring, but few are linked to the management of risks. Ideal is to be able to use a top-down and risk-based approach.

Rather than going straight to testing controls or monitoring data (which is what most products actually do), start with identifying the risks for which you want to obtain assurance. Then and only then identify and test the controls relied upon to manage those risks.

SAP's strategy is just that and more. In fact, it starts with the organization's strategies, identifies risks to their achievement, and then links those risks to the controls and tests them.

This analyst review comments on the value of such an approach. http://www.ovum.com/news/euronews.asp?id=8016.