The above diagram shows the governance and management processes associated with control assurance. Management monitors processes through mechanisms including KRIs, which are used to alert the business to potential control issues and are part of a continuous improvement cycle.

Continuous Control Monitoring (CCM) takes selected KRIs and the results of other tests and analytics on processes and forms part of an overall control assurance program (CAP) in which the concerns over the monitored controls are validated before being prioritised and acted upon alongside issues identified by other periodic manual testing. Additional risk and key control deficiencies may also be identified through management risk and control self-assessments (RCSA) that form part of the program based on management knowledge gained through operating the plan-build-run-monitor cycle. Integrated issue management using a GRC platform facilitates digitisation, automation of alerts and management of remediation activities, once agreed upon by management.

Mature KRIs linked to formal assertions are continuously monitored and reported, automatically form part of the risk and control profile, and are integrated into daily management processes.

Other KRIs that may be subject to false positives are used in day-to-day management of the process in question and adjusted to a point where they can be relied upon for management self-assessment and continuous improvement of the process. As they mature, they can be incorporated in an expanded CCM regime.