Continuous Monitoring and Auditing
Continuous auditing (CA) is the gathering of evidence by an internal auditor on people, processes, systems and the related controls on a frequent basis. Continuous monitoring (CM) is a feedback mechanism used by management to ensure the processes and controls in place work as they are intended to. This monitoring can be an important element of the School’s internal control framework as defined by the Committee of Sponsoring Organizations (COSO).
CA is often confused with CM since they are similar in nature. For instance, both analyze organizational data for key attributes of interest. However, they are markedly different functions. The most obvious difference who is performing the function: CA is a function of the Office of Internal Audit & Consulting Services and CM is the responsibility of management. Additionally, the differences are even better seen as it relates to the School’s enterprise risk management framework.
There is a Three Lines of Defense model that distinguishes among three groups or lines involved in an effective risk management framework: (1) functions that own and manage risks, (2) functions that oversee risks, and (3) functions that provide independent assurance.
- 1st Line of Defense: Operational Management – They are responsible for maintaining effective internal controls and executing risk and control procedures on a day-to-day basis. Such risks may be operational in nature or may have to do with finance and compliance. There should be adequate oversight in place to ensure control breakdowns and unexpected events are identified timely.
- 2nd Line of Defense: Risk Management and Compliance Functions – These functions help ensure the first line of defense is properly designed, in place, and operating as intended. The responsibilities of these functions could include identifying known and emerging issues, identifying shifts in risk appetites, providing guidance and training, as well as monitoring controls or compliance with laws and regulations.
- 3rd Line of Defense: Internal Audit – Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defense achieve risk management and control objectives. This comprehensive assurance is at the highest level of independence and objectivity within the organization.
Basically, CM can serve as the first two lines of defense that is driven by management. And CA, as an internal audit function, can serve within the third line of defense for the School.
The best method to get the most value out of these processes is to use a combination of both. However, each can be implemented without the other. And coordinated efforts are important to avoid duplication of efforts and unproductive use of resources. If done right, the benefits of a successfully implemented CA program include a better understanding of risks to the enterprise, increased control effectiveness, support for compliance efforts, and optimal use of IA resources and potential adoption of CM procedures.
Examples of areas that can be continuously monitored (or audited) include: student financial aid, research administration, procurement, and financial policy compliance.