Published May 7, 2019 • By Karen Walsh

Auditing vs Monitoring

Monitoring is an established component of the information security process which goes hand in hand with auditing. Auditing is used to document an organization’s compliance activities.  Where monitoring protects the data by responding to threats, Auditing provides proof of a continued compliance effort. By taking a “security-first” approach, companies can use continuous auditing and monitoring to provide evidence of their cybersecurity protections.

What is compliance?

Compliance means establishing rules, following rules, and ensuring that others follow them as well.

For companies, compliance means identifying, assessing, and analyzing risk then creating written policies that explain the reasons the company chose to accept, mitigate, transfer, or refuse those risks.

What is continuous monitoring?

Cybercriminals continuously update their methodologies to find new vulnerabilities. New vulnerabilities, called  “zero-day” attacks, are rare. However, malicious actors continuously evolve malware and ransomware to avoid detection. Thus, although anti-malware can protect a company from an already researched infection type, it may not protect against a newer version with enhanced capabilities.

Continuous monitoring provides a real-time capability showing the threats against your IT systems. Incorporating machine learning tools, you can ensure that your internal controls remain effective while also predicting potential new risks.

What is continuous auditing?

Continuous auditing provides in-depth, real-time analytic evidence demonstrating how closely a company is adhering to security policies and procedures. As threats evolve, risk management activities need to evolve. Risk analysts propose new controls based on the new threat landscape. Internal auditors need to ensure that established controls are consistently applied to all information systems.

Auditors review independent evidence documenting the performance of security related tasks such as incident response, log review, and patch management.  Without continuous auditing, risk management activities and compliance can only be measured for a point in time. The use of continuous auditing offers real-time evidence of continuous control implementation rather than a snapshot in time evaluation or a static sampling of evidence.   This can be integrated into the compliance workflow thus ensuring policies and procedures enforcement across the organization.

Traditional Audit

Traditional audits focus on a single point-in-time. The auditor requests information during a certain period, and you provide the documentation. However, IT security audits require greater insights into how organizations manage the threats facing systems and networks.

Continuous Auditing

Continuous auditing uses automated systems to collect documentation and indicators about your information systems, processes, transactions, and controls. Using these tools, your auditors can collect information from processes, transaction, and accounts in a more timely, less costly manner that allows you to move away from point-in-time reviews. Continuous auditing activities prove that you know your environment and identify noncompliance immediately.

What is the difference between continuous auditing and continuous monitoring?

Both continuous monitoring and continuous auditing use automated tools to provide real-time data, but they provide information for different audiences.

Continuous monitoring enables management to respond to threats that impact its risk assessment and business processes. By utilizing continuous monitoring automation, financial firms can not only identify potential abuse and attacks before a breach occurs but ensure compliance with the Sarbanes Oxley act of 2002 (SOX).  By identifying and remediating potential incidents privately, firms prevent breaches which often lead to bad press and regulatory investigation.

Continuous auditing enables auditors to gather the log information needed to support compliance conclusions. Instead of sampling a percentage of transactions and processes, the internal auditor can review all of them. More critical for financial services organizations, continuous auditing provides regulators with the documentation needed for their audit.

Although the two complement each other, they collect different documentation. Continuous monitoring tools collect information about your controls’ effectiveness against malicious actors. Continuous audit collects documentation proving that you responded the way a standard or regulation requires.

Where do continuous monitoring and continuous auditing fit into a “security-first” compliance program?

A security-first approach to compliance means not just establishing controls but continuously protecting information from new threats. Continuously monitoring attempted intrusions to your systems and networks enables you to protect information and speed up compliance efforts to meet new standards and regulations.

Regulations and standards increasingly focus on management’s governance over your cybersecurity compliance program. A continuous monitoring tool provides management visibility into emerging threats that allow them to make decisions based on their risk tolerance.

Once you respond, you need to update your control and risk assessments, and you need to prove that you complied with standards and regulations. Your continuous audit tool allows your internal auditor to review your security controls for compliance alignment.

Essentially, you need a tool that connects the continuous monitoring of a security-first approach to compliance with the documentation required to support an audit of your controls and procedures. This is where the two tools overlap.

How ZenGRC Enables Both Continuous Monitoring and Continuous Auditing

Compliance programs require communication between internal and external stakeholders and an audit system that enables this.

ZenGRC offers workflow tagging so that you can delegate compliance tasks and monitor their progress and completion. Moreover, it allows you to prioritize tasks so that your team members know how to plan their activities.

ZenGRC’s workflow management capabilities include a centralized dashboard that continuously documents your control effectiveness making compliance documentation easier.

Additionally, it helps you create an audit trail by documenting and remediation activities to support your responses to auditor questions.

Using ZenGRC’s single source of information platform can speed up internal and external stakeholder communications and provide all documentation necessary thus reducing external auditor follow up requests.

For more information on how ZenGRC’s audit management workflows can streamline your process, contact us for a demo.