Monitoring is an established component of the information security process; it goes hand-in-hand with auditing.
What’s the difference between the two? Auditing documents an organisation’s compliance activities. Monitoring protects data and provides network security by identifying threats so employees can respond accordingly. Auditing offers proof of a continued compliance effort; monitoring is the continued compliance effort (partly, at least).
By taking a security-first approach, companies can use continuous auditing and continuous monitoring to provide evidence of their cybersecurity compliance measures.
Compliance itself is the process of establishing security controls and following business rules to assure that an organisation adheres to the requirements of all laws, regulations, industry standards, or other regulations that might apply to the organisation.
For companies with compliance obligations, that means identifying, assessing, and analysing risks. Then the business must create written policies that explain why the company chose to accept, sought mitigation for, escalated, or refused those risks, to assure their security posture.
What is continuous monitoring?
Continuous monitoring is the real-time observation of activity on your corporate network and IT systems to identify — and, ideally, prevent — new or emerging cybersecurity risks within your IT infrastructure.
By incorporating machine learning tools that can automate this process, you can ensure that your internal controls remain effective while predicting potential new risks.
Continuous monitoring is wise because attackers constantly change their methods to find and exploit new weaknesses in your IT systems. Endpoint vulnerabilities, misconfigured or weak firewalls, and other cyber threats are all avenues an attacker can use to gain unauthorised access to the system or data.
Since malicious actors modify their malware and ransomware to avoid detection, anti-malware can only protect a company from an already researched infection; it won’t necessarily work against new cyberattacks with enhanced capabilities. Hence monitoring is so crucial.
Why is continuous monitoring an essential element of security?
Information security continuous monitoring (ISCM) is important because it empowers organisations to evaluate their operating system and web application infrastructure routinely.
It allows them to determine whether the system is compliant with current information security policies or is vulnerable to security threats — and thus, needs patching.
Continuous security monitoring can:
- Supervise your attack surface
- Enhance endpoint security
- Provide robust data security for your sensitive data
- Assure you’re compliant with standards like Service Organisation Controls (SOC) and the National Institute of Standards and Technology (NIST).
Let Security Systems get you peace of mind by installing top-quality and reliable home security cameras in Melbourne.
What is continuous auditing?
Continuous auditing provides in-depth, real-time metrics demonstrating how closely a company adheres to standardised security operations and procedures. As threats evolve, your security team can propose new access controls and security management policies based on the latest threat landscape.
Internal auditors need to ensure that established controls are consistently applied to all information systems to block security incidents from all sides.
Auditors review the performance of tasks such as incident response, log review, and vulnerability management to ensure they can still prevent a data breach.
This information can be integrated into the compliance workflow to assure security information and event management (SIEM) policies and procedures are enforced across the organisation.
What’s the difference between traditional auditing and continuous auditing?
A traditional audit focuses on a single point in time, such as the end of a quarter. The auditor requests information during a specific period, and you provide the documentation.
In contrast, IT security audits require greater insight into how organisations manage the threats facing systems and networks. Continuous auditing uses automated systems to collect documentation and indicators about your information systems, processes, transactions, and controls all the time.
Using these tools, your auditors can collect information from processes, transactions, and accounts in a more timely, less costly manner that allows you to move away from point-in-time reviews. Continuous auditing activities prove that you know your environment and identify non-compliance immediately.
How do continuous auditing and continuous monitoring differ?
Continuous auditing and monitoring both use automated tools (often SaaS applications) to provide real-time data, but they provide information for different audiences.
Continuous monitoring enables management to respond to threats that affect its risk assessment and business processes. Firms can identify potential abuse and attacks before a breach occurs and assure compliance with the Sarbanes Oxley Act, HIPAA, or other laws with heavy data security requirements.
Continuous auditing, meanwhile, enables auditors to gather the information needed to support compliance conclusions. Instead of sampling a percentage of transactions and processes, the internal auditor can review all of them. More critical for financial services organisations, continuous auditing provides regulators with the documentation needed for their audits.
So although the two concepts complement each other, they collect other documentation. Continuous monitoring gathers information about your controls’ effectiveness against malicious actors. Ongoing audit contains documentation of mitigating practices the way a standard or regulation requires.
Searching for the best CCTV security systems? Give Security Systems a call.
- Timely identification of transaction errors, abuse, fraud and non-compliance
- Ongoing assurance over risk management and internal control systems
- Rapid identification of new issues; continuous risk assessment needed
- More areas under consideration mean that traditional audit coverage is increasingly limited.
- Ability to assess and prioritise resources to focus on actual issues
5 Steps to Implementing Continuous Auditing and Continuous Monitoring
Determine a Champion
Whether you want Audit to work with Management or Management to work with Audit, one individual or department has to be the established leader of change and implementation. Also essential will be buy-in from all levels of Management across all functions of the company. This is the new way of doing business (Audit, Compliance and Monitoring), and everyone needs to be on board.
Clearly Defined Approach
Whether you agree with the definitions above or have your spin on the subject, be definitive concerning your approach. Many factors will need to be considered, including industry, regulation requirements, fraud awareness, cost structure, people, resources, company culture, etc.
As I described here, I find it imperative for each Audit Department (and Management level individuals) to be up-to-speed on the latest Computer-Assisted Audit Tools. The use of these tools is essential to the successful implementation of Continuous Auditing and Continuous Monitoring.
Like with most endeavours, you will need to ‘test’ the implementation on a few high profile, high-risk processes to ensure the proper approach is in place and that you are receiving the sought after benefits. Areas such as Accounts Receivable, Accounts Payable, General Ledger Journal Entries and Time and Expense Reporting are good places to start and give you an indication of your successes (or failures).
As the program gets established, you will need to constantly assess whether it is achieving the intended goals of the implementation. Are costs being recovered? Do you see a return on your investment? Are controls stronger? Audit coverage more excellent, more efficient and most cost-effective? Is fraud coverage better, more innovative? Are you getting quick?
Where do continuous monitoring and continuous auditing fit into a ‘security-first compliance program?
A security-first approach to compliance means not just establishing controls but also continuously protecting information from new threats.
Continuously monitoring attempted intrusions to your systems and networks enables you to protect information and speed up compliance efforts to meet new standards and regulations.
Regulations and standards increasingly focus on management’s governance over your cybersecurity compliance program.
A continuous monitoring tool provides management visibility into emerging threats. Then they can make decisions based on their risk tolerance. Once you respond, you need to update your control and risk assessments, and you need to prove that you complied with standards and regulations.
Your continuous audit tool allows your internal auditor to review your security controls for compliance alignment.
Essentially, it would be best to have a tool that connects the continuous monitoring of a security-first approach to compliance with the documentation required to support an audit of your controls and procedures. This is where the two tools overlap.
How GRC Software Enables Continuous Monitoring and Continuous Auditing
Compliance programs require communication between internal and external stakeholders and an audit system that enables this.
ZenGRC offers workflow tagging so that you can delegate compliance tasks and monitor their progress and completion. Moreover, it allows you to prioritise tasks so that your team members know how to plan their activities.
ZenGRC’s workflow management capabilities include a centralised dashboard that continuously documents your control effectiveness making compliance documentation easier.
Additionally, it helps you create an audit trail by documenting and remediation activities to support your responses to auditor questions.
Using ZenGRC’s single source of information platform can speed up internal and external stakeholder communications and provide all documentation necessary, thus reducing external auditor follow-up requests.
The Added Value That Ca/Cm Provide For Organisations
In general, CA/CM adds value by improving compliance with laws and regulations and supporting business goals. From a technology perspective, CA/CM enables a high degree of automation for monitoring systems and data and implements closed-loop mechanisms for any exceptions detected. As a monitoring mechanism, CA/CM helps detect irregularities in system configurations, processes and data, either from a risk or a performance perspective.
Potential benefits of CA/CM include:
- Enhanced and more timely oversight of compliance across the enterprise;
- Improved efficiency and effectiveness of the control environment through automation, leading to cost-reduction opportunities;
- Business improvement through reduced errors and improved error remediation, allowing reallocation of resources to activities that add value;
- The ability to report more comprehensively on compliance with internal and regulatory requirements
Main Outcomes Of The Ca/Cm Survey
CA/CM is winning ground within organisations that aim for continuous control and continuous performance. The level of awareness, the increasing availability of tools and the aim for greater efficiency in assurance are essential drivers for further investigation into what CA/CM can bring to the organisation.
Examples of CA/CM tools
- BWise Continuous Monitoring & Audit Analytics
- SAP Fraud Management
- RSA Archer
- Aptean Event Management Framework
- IDEA Caseware Monitor
- ACL AuditExchange
- Oversight Systems
This section summarises the outcome of an online EMA survey. The online survey was rolled out across the EMEA region and contained responses from 718 individuals. The respondents are primarily from internal audit departments and boards of directors, operational/line management in the office of the CFO, and finance and risk management sectors throughout the organisation.
Respondents do understand the benefits of CA and CM. As depicted in Figures 2 and 3, 89% of the respondents realise that CA aims to bring comprehensive assurance with more excellent coverage across the organisation; and 90% understand that CM enables the detection and correction of irregularities and helps identify process improvements.
However, understanding the benefits of CA/CM alone cannot drive it forward. Strategic drivers include the pressure to strengthen governance, enhance performance and accountability and improve oversight for global operations. Operational drivers have the occurrence or risk of fraud and misconduct and process improvement by identifying irregularities continuously. External drivers include the expanding regulatory and risk environment, scrutiny from rating agencies, and an uncertain economic environment.
Case Study: Large-scale Implementation Of Ca/Cm
The client was accused of paying bribes. This accusation led to comprehensive investigations by the government. The bribes were paid to secure new deals. An estimated total of 14 million euros in bribes was spent in the period between 2002 and 2005. As a result of the investigations, the client had to pay 150 million euros for failing to follow government regulations. In addition to the fines, the client received negative publicity, and many board members and employees were terminated.
Design And Build Phase
The public prosecutor said that there was no sufficiently effective internal control system for detecting bribes. Therefore, a solution to monitor the entire purchase-to-pay process had to be introduced. The design phase resulted in 23 blueprint documents regarding system architecture, data analytics, security, training, etc. In the design phase, a lot of attention was paid to the flexibility and scalability of the solution to make the solution applicable for future extensions such as order-to-cash controls, IT controls and business performance indicators.
Due to particular client requirements, the solution consisted of a combination of software applications and databases. Instead of commercial off-the-shelf CM software. Essential requirements were connecting to multiple source systems, both SAP and non-SAP and integration with Microsoft SharePoint for case management and reporting. The scheduling tool was used to trigger the data extraction and data analytics processes in the backend. The data analytics rules (queries) were built in an Oracle database (the standard database at this client). The results of the data analytics were pulled into a Microsoft SQL Server database to allow integration with Microsoft SharePoint.
- Continuous auditing & monitoring can reduce the risk of financial loss by detecting error and typically finds abuse before the economic impact is realised.
- A constant auditing & monitoring solution provides additional management information which can be used to drive efficiencies in the monitored process. For example, the granular in-process data available in a continuous monitoring solution can be used to track KPIs and identify and fix process bottlenecks.
- The closed-loop investigation of detected anomalies can lead to ongoing improvements to controls. Besides, continuous auditing & monitoring helps increase the scope of coverage (100% of transactions as opposed to sampling method).
- Continuous auditing & monitoring can be targeted to provide additional assurance over processes that are high in value or risk. It also allows for flexibility in an ever-changing regulatory environment.
The survey showed a high degree of awareness of the potential benefits of CA and CM to organisations. Despite the interest to date, only a limited number of organisations have been involved in an enterprise-wide adoption of CA/CM practices, primarily due to the lack of a suitable business case or their inability to measure the benefits of such initiatives effectively. However, with the growing interest in risk assessment and compliance monitoring, there are solid prospects for CA/CM practices to be adopted by more businesses in the foreseeable future.
The survey further revealed that the functions across an organisation gained added value from CA/CM practices, irrespective of whether they were the initiators. Beyond other parts, internal audit remains the main initiator and beneficiary of CA/CM. Other services, such as operational/line management, are not usually the first initiators of CA/CM but benefit from it.
Most respondents believe that CA/CM is best suited to support processes such as “financial management reporting,” regulatory reporting and “treasury and cash management.” Typically, the areas that tend to have the greatest return on investment (ROI) included “manual journal entries,” “time and expense,” “purchase-to-pay,” “p-cards,” “order-to-cash”, and “inventory management.”
Our recommendation is to benefit from each CA/CM initiative entirely, and management should focus on achieving a healthy ROI while lowering exposure to risks. Pilot projects with a limited set of analysis and connections may deliver results quickly and potentially help CA/CM become self-financed, thus fuelling the business case for adopting an enterprise-wide CA/CM program.
Finally, we believe that organisations interested in CA/CM need guidance and sufficient information on the benefits and techniques associated with CA/CM. Here’s where external auditors and advisors come into play. The success of a CA/CM initiative largely depends on its effective implementation and integration in day-to-day operations, as well as the reasonable, appropriate and effective use of technology.
Organisations should realise that effective implementation of CA/CM can take time and effort. A variety of challenges can be expected along the way. No matter how they choose to launch the effort, organisations should define the desired end-state for their CA/CM efforts. Organisations should understand that CA/CM is not only about implementing tooling. It is a change in working where you have to redefine your objectives, roles and responsibilities and the way to handle the outcome. Moreover, implementing CA/CM is about understanding the extent to which CA/CM can transform processes, risk and controls, technology, and people in an integrated way.
Based on our practical experience in supporting organisations before, during and after the implementation of CA/CM initiatives, we firmly believe that this will be a way forward to create greater transparency efficiently and sustainably. With the evolution of CA/CM, we predict an organisational shift regarding the providers of assurance and analysis.
Keep your vigilance over your home or establishment around the clock with Security Systems’ extensive range of security access control system services.