I continue (pun intended) to be surprised that people don’t understand the difference between the continuous monitoring of controls and the continuous monitoring, or inspection, of transactions.
When people talk about continuous controls monitoring by testing payments to see if they are duplicate payments, or (to quote one vendor) by testing “the integrity of individual transactions”, they are – in my opinion – getting the language all wrong. They are inspecting transactions, and not providing any assurance that controls are adequately designed or operating effectively. That is not continuous controls monitoring.
Just because transactions are ‘correct’ doesn’t mean that controls are in place or operating.
Finding errors is a strong indication of a control failure, but that is all. The nature of internal control is that it provide reasonable but not perfect assurance – just check COSO Internal Control Framework.
Internal auditors are primarily concerned with obtaining and providing assurance that controls are adequate. So, they are going to be (or should be) more interested in routines that provide assurance on a continuing basis that the controls are designed well and operating effectively. They should be less concerned, except when looking to detect fraud, with the inspection of transactions. That is a management role.
I wrote about this at length last year in a popular post on my other site (here) and my opinion hasn’t changed. While the post got a lot of attention (1600 views), I still see vendors presenting transaction inspection as control monitoring.
Did I miss something? Am I wrong?