Determining the Benefits of Continuous Monitoring: A Tool for Prioritizing Internal Controls during a Continuous Monitoring Implementation
MetadataShow full item record
The research area of Continuous Monitoring (CM) is rather manifold. The concept of CM has emerged as a link between corporate governance, financial reporting, audit, internal control and IT. In order to meet compliance and operational objectives, organizations establish internal systems that categorize the most important risks, with all the necessary mitigating measures, entitled controls. Together, the controls should provide reasonable assurance that the business is in control. Publicly traded companies develop internal control systems with the main purpose of providing accurate financial statements that portray the reality as it is. In order to do that controls must be tested on a regular basis. Due to the high amount of work required, it has become an auditor’s task instead of the controller’s duty. For that reason, extensive academic work exists on the topic of audit, more precisely on Continuous Auditing (CA). CA refers to the use of system-based techniques that replace the manual audit ones. Although CM has emerged with an identical meaning as CA, a clear delimitation started to be observed over the past years between the two. Although no generally accepted terminology exists on CM, they all refer “a process to ensure that policies and processes are operating efficiently and to assess adequacy and effectiveness of controls” (CICA/AICPA, 1999). The recent technological advancements make it possible for the controllers to monitor their controls on a regular basis, and provide evidence to the audit whether controls are functioning as intended, and what steps are performed in case exceptions are encountered. One example of a control is the three-way match. The amount of goods ordered, the amount of goods received, and the amount of goods invoiced, together with their value must match. Although the three-way match setting exists in most ERP systems, due to their complexity, it is assumed that this setting is enabled. CM provides complete assurance whether such a setting is enabled or not, and, most importantly, examines the entire population of transactions to check whether there are any three-way mismatches. Due to the significant amount of controls that organizations set, it is unclear on which controls to focus first in a CM implementation project. Consequently, this research proposes an internal control prioritization tool that would identify and relate the relevant dimensions in order to prioritize a set of controls. In order to evaluate the results of the framework, two case studies are used. Challenges of adopting CM technology are identified by the means of a questionnaire. A clear picture of what CM represents is presented by performing extensive literature study various discussions within BWise and expert interviews.