What is Continuous Monitoring in Internal Audit?

Continuous monitoring is a program to support the identification of risks with a forward-looking view, both within the company and the internal audit function. It is an effective and efficient method of providing the required assurance across the audit universe. It is also often to support the management committees and Board reporting and oversight. 

CM is performed on an ongoing basis, reviewing inherent and emerging risks, the control environment and the audit needs of audit entities within the audit universe. Data is collected from various points such as Committee meeting packs and attendance, business unit management information, internal audit discussions with senior stakeholders, peer reviews. An assessment is made by internal audit whether risks have increased and what audit action needs to be taken. 

Internal audit can perform CM across the audit universe looking at the levels such as lines of businesses, functions and regions.

A CM program is considered best practise for internal audit, with standards and guidance issued by the Institute of Internal Auditors (IIA), such as:

• GTAG – Continuous Auditing
• Practise Advisory 2320-4: Continuous Assurance

CM is an effective and efficient way of providing on-going risk and control assessments for internal audit. One of the main benefits is that it provides deeper understanding of the business and current practises that enables internal audit to identify material risks in a timely basis, so that they can provide real-time assurance, with audit plan adjustments where deeper assessments are required. This can greatly assist senior management and stakeholders to take appropriate actions on a timely basis before negative impacts occur.

Further to this, internal audit can provide timely challenge to business stakeholders on emerging material risks, especially where internal audit attends Committee meetings, to take appropriate actions and provide better governance.  

Better visibility of emerging risks can allow internal audit to focus more on these higher risks in upcoming audits or to add to the risk assessment within audit entities. 

Reviewing risk profiles across businesses, functions and regions and any changes that occur, can provide for a more informed audit plan, with justifications as to its inclusion due to change in risk profile, and optimal resource allocation.

Internal audit collects and assesses data, such as from the sources mentioned above, continuously throughout a period (often during the quarter). Findings and insights from first- and second-line assurance activities, regulatory pronouncements, macro developments and industry and peer developments should also form a key part. An assessment can be made against key risk categories, for example financial, conduct and financial crime, information security, people risk, credit risk, liquidity and capital, etc. that is appropriate for the company. 

Internal audit makes an assessment by considering the need to amend audit focus based on the data gathered and provide an opinion such as audit focus increasing/ decreasing/ stable. The factor causing the increase or decrease should be compared to the audit plan to identify gaps or prioritisations. This is often documented, reviewed and presented to Committees within the Company. The same care and attention given to other audit work and workpapers should be considered as part of CM where real time issues are raised as a result of becoming aware of material issues and significance. 

Continuous monitoring is a key program for internal audit which provides effective assurance on emerging risks and better corporate governance. The program should be set up where its importance is highlighted within the internal audit team with a robust structure and framework. If performed with diligence, it provides valuable insights and assurance to senior stakeholders within the Company and greatly assists in delivering internal audit’s mandate.