Skip to Content

Continuous controls monitoring – grossly misunderstood!

Vendors, consultants, and others have a new term to abuse: CCM/T. It stands for continuous control monitoring/controls. The idea is that by using automated transaction monitoring tools (like SAP BusinessObjects Process Control), you can provide assurance that controls are in place and effective.

In this blog, I argue that CCM/T is a concept without validity. Not all controls lend themselves to automated testing, and testing transactions does not prove controls are in place.

I am fine with the concepts of continuous monitoring of transactions and continuous monitoring of controls – just not with the idea that one provides the other.

1 Comment
You must be Logged on to comment or reply to a post.
  • Norman,

    These folks you know who are so confused about controls could use some education in controls and auditing techniques. Maybe my exposure is just limited, but I can’t say that I’ve seen an abundance of people who think that continuous transaction monitoring provides monitoring of *all* controls. It’s something you learn in ERP Controls 101: controls can be transactions, system configuration such as tolerances, security role configuration, physical controls (such as locking up inventory), the system and password parameters in RZ10, segregation of duties, account reconciliation, three-way match, and the list goes on.

    Continuous transaction monitoring is an important control tool, and generally the more automation the better, but it’s just one tool in the toolbox. In my experience anyone involved in SOx or other regulatory compliance due diligence, assement, and review learns that right out of the shoot if they didn’t know it already.