To ensure effective continuous monitoring, adequate segregation-of-functions must be sustained. Continuous monitoring and segregation-of-functions are not new control concepts. Yet, technological integration issues can be a barrier to implementing continuous monitoring systems that are: independent of operational processes and capable of easy configuration for specific risk tolerance requirements. Procedurally, achieving appropriate functional independence in an automated system necessitates defining IT and operational user work units considering control context. As a result, when properly deployed, segregation-of-functions assures organizational responsibilities do not impinge upon independence or corrupt information system asset integrity while tracking and collecting datum regarding individual processes.
Continuous monitoring allows management to have greater insight into the entity’s current state of compliance. Typically, for IT, continuous monitoring involves ongoing automated testing of selected datum within a given process area against a suite of control protocols. Management can utilize this information to set or reset process guidelines, rules and tests; through applied analytics identifying performance gaps or unusual events that may suggest control failures. This type of continuous monitoring can exist in IT hardware, firmware or software enabled to observe and record automated activities. Therefore, automated continuous monitoring provides a timely feedback mechanism for management to ensure that configuration items and controls are operating as designed and datum are processed appropriately.
Benefits of Continuous Control Monitoring
Since management is responsible for the entity’s controls, they should have the means to determine, on an ongoing basis, whether selected controls are operating as designed. Continuous monitoring typically addresses management’s responsibility to assess the adequacy and effectiveness of controls. It enhances managerial capabilities and entity-level controls, while striving to enable maintaining acceptable performance levels. Furthermore, with the ability to identify and correct control problems on a timely basis, automated continuous monitoring enriches an entity’s compliance program. Nonetheless, the key to a successful deployment of automated continuous monitoring is process ownership by personnel assigned responsibility for responding to reported exception conditions.