Mark Wood recently authored an article, Continuous Auditing Ensures Better IT Security Compliance, for the Sarbanes-Oxley Compliance Journal and stated that "One of the most effective ways to stay ahead of regulations and be prepared for auditors is a process called continuous auditing." He followed with "Obviously, continuous auditing can only be used for internal audit processes that can be automated and is most commonly used for IT security compliance." and "The most common type of continuous auditing involves monitoring IT assets to ensure necessary configuration settings remain in compliance."

The author is definitely raising an important issue that I believe is still overlooked by most IT departments and IT Security functions, however, there are many issues with the term "Continuous Auditing". One of the major issues is that only auditors can perform an auditing function and that what Mark is primarily describing is "Continuous Monitoring". The ability to perform Continuous Monitoring of security processes can be valuable to an auditor as well but using the Continuous Auditing description is not entirely accurate.

In addition, the author describes the automation of internal audit processes being most commonly used for IT security compliance. This is another important area of confusion surrounding Continuous Auditing. The approach of continuous auditing is not new and has been used in several different industries for some time. A good example is Claims Processing in the Financial Services Industry where continuous auditing has been successfully implemented for quite some time.

As IT practitioners, we need to be careful not to alienate our friends in the audit community by taking an IT centric view of the world. The integration of IT, Audit and Security is definitely the most important concept here and can bring significant value to the business through reduced compliance costs, increased operational efficiency and reduced risk.