ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Implementing Continuous Control Monitoring

Implementing Continuous Control Monitoring

David Vohradsky, CGEIT, CRISC
| Published: 4/6/2015 8:49 AM | Permalink | Email this Post | Comments (1)

In my recent Journal article, I presented a review and pragmatic steps for the implementation of continuous control monitoring (CCM) for IT general controls. My approach has now been considered in a number of implementations for use across enterprise IT general controls.

My CCM approach starts with a top-down analysis of control objectives to determine which formal assertions to test. Some of the implementers have reported that they took more of a bottom-up approach to look at the data, what could be done with them and what assertions were possible.

In many organizations, IT operations support systems have poor data quality and do not lend themselves to a top-down approach. In these cases, a more pragmatic approach would be to start with the existing operational key performance indicators (KPIs) or metrics reporting and identify how they could also be used for control assurance. CCM implementers have reported that the lack of data quality was a significant factor in determining the scope of CCM. A lack of policies and procedures related to the use of IT operations support systems, a lack of data dictionary and lack of data management within these systems seem to be severe limitations.

Implementations also struggle with selecting a tool set for CCM. Some implementations take a tactical approach and used Microsoft tools in order to balance the sometimes conflicting objectives of value-added reporting, ease of development, and complex data manipulation and data cleansing. Other implementations develop a shadow copy of the IT operations support systems, which will need appropriate infrastructure and operational management. Generally, implementers still needed to rely on some professional judgment for control assertions that couldn’t automate.

What are your thoughts on CCM? Do readers find a top-down or bottom-up approach more useful? How are readers dealing with poor data quality in IT operations support systems? What architecture and tool sets are being used for CCM? Are readers “going it alone” or trying to build production-grade systems? Are readers able to replace control assurance completely with CCM for any controls?

Read David Vohradsky’s recent Journal article:
Continuous Control Monitoring: A Practical Approach,” ISACA Journal, volume 2, 2015.

Comments

Great CCM observations, David

You make some interesting points. I am particularly drawn to the issue you raise of where control assurance requires 'management judgement'.  I ran a survey on this topic and found some interesting data on the percentage of controls that need manual testing due to the 'judgement' issue, especially entity-level controls. There are tools that support both the automated control testing and the hybrid/manual control 'assertion' testing, but I found the scale of these sub-groups surprising. You can see  the survey results at http://www.consider.biz/landscape-internal-controls/   
Dan French at 5/14/2015 5:35 AM
Email