Any time I have read articles by the folks at Lumigent Technologies, I notice they expend most of their energy explaining how continuous controls monitoring makes the whole compliance/audit process simpler. It makes sense, considering that's their business, and they typically present sound arguments in its favor.
This week, however, Lumigent's Ron Suffers offered a guest opinion in which he pointed to a specific weakness of the CCM process: Many times, companies do not take a holistic approach. That is, they monitor system transactions, but they do not include master data and application configuration settings changes in the monitoring process.
The proper way to do that, he says, is for "process or data owners to validate that changes to their setting or master data are correct." Unfortunately, more often than not data and process owners are not willing to take responsibility for the accuracy of their settings or master data. Validation, then, is left to internal and external auditors, and the value of continuous controls monitoring is quickly lost.
For auditors to remain independent and objective, they need to avoid responsibility for controls. Therefore, it is the business process or data owner that needs to be accountable by monitoring that the controls are set and configured as intended. The owner must be accountable for detecting erroneous settings or values and then swiftly correcting them to their proper position.