When should continuous monitoring belong to management instead of internal audit?
Continuous monitoring should belong to management when it is part of running the process or detecting exceptions that management must investigate in the normal course of business. For example, if a monthly dashboard flags unauthorized discounts for branch managers to resolve, that is a management monitoring control.
Internal audit may use analytics to identify risk, select samples, prototype a useful monitor, or perform follow-up. But if the organization relies on the dashboard as a control, management should own the rules, review cadence, evidence of follow-up, and remediation decisions. Internal audit can later assess whether that monitoring control is designed and operating effectively.
The independence issue is practical: internal audit should not become the permanent operator of a control it later audits.
Master CIA Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Join the Discussion
Ask questions and get expert answers.