Continuous controls monitoring

Continuous controls monitoring (CCM) is the use of automated tools to examine business transactions as they occur.

A CCM system automatically pulls certain data elements from a database of transactions and reviews all of these data elements. The intent is to conduct a complete scan of the data for control breaches, errors, possible segregation of duties problems, and anomalies from what is expected. The review is conducted by comparing the data to a set of tables that contain permitted transaction authorizations, allowable boundaries for detecting anomalies, itemizations of fields that must be completed for a standard transaction, and so forth. These tables are set up for each major transactional area, such as for inventory, payroll, accounts payable, travel and entertainment, and customer orders.

By comparing the tables to the data, a CCM can spot potential control problems, which are then reported to management on a real-time basis.

Here are several examples of CCM tests:

  • For the proper authorization of supplier invoices for payment
  • For the accuracy of inventory picking transactions
  • For the completeness of customer orders
  • For the issuance of customer invoices within __ hours of shipments to customers
  • For the authorization of credit memos related to unpaid customer invoices

A CCM system is relatively expensive, so this approach to auditing is not typically available to a smaller organization. However, if implemented, the system can reduce the need for manual internal control reviews. In addition, external auditors can rely upon a CCM to some extent when designing their audit procedures, which reduces the cost of their audit. Thus, the net cost of a CCM is somewhat reduced when its full effects are considered.