Always-On (In Theory)
FEATUREDRISKINTERNAL AUDITSOX
The Pitch Is Real
Test 100% of transactions instead of samples. Detect anomalies in real time. Replace the quarterly scramble with always-on assurance. The audit committee gets a live dashboard instead of a historical report that's already three months stale.
The technology exists. The regulatory pressure is real. QC 1000 took effect December 15, 2025. Updated IIA Global Internal Audit Standards became fully effective January 9, 2025. The SEC cybersecurity disclosure rules are live. In the IIA's 2025 North American Pulse survey, 78% of CAEs identified data analytics as their teams' most needed competency improvement. The industry knows what it needs.
And yet: walk into most corporate audit functions today and you'll find teams still collecting evidence by emailing spreadsheets and exporting screenshots. The technology exists. The intent is there. The gap between aspiration and implementation is, depending on your risk appetite, either an opportunity or a catastrophe in slow motion.
The Real Blockers
What's blocking adoption is budget, integration complexity, and skills. In that order.
Budget: continuous monitoring requires infrastructure: data pipelines, integration connectors, monitoring platforms, and human expertise to configure and maintain them. The CFO who cut the audit budget because "the stock price doesn't respond to governance quality anyway" is not your natural champion for a multi-year controls modernization investment.
Integration: most corporate environments have decades of ERP customizations, legacy systems, and shadow IT never designed to be monitored continuously. Connecting a continuous monitoring platform to SAP, Oracle, Workday, and the five SaaS tools operations installed without telling IT is not a weekend project. It's a program.
Skills: continuous monitoring requires people who can interpret what the monitoring is telling them, tune thresholds without creating alert fatigue, and explain to an audit committee why the algorithm flagged something and what it means. That person is expensive, rare, and being recruited hard by every tech company with a GRC budget.
The Aspiration Trap
There's a specific failure mode I see repeatedly: organizations buy the platform, run a pilot on a narrow set of controls, declare success, and then the program stalls. The initial win doesn't scale. The dashboard exists, but it covers 20% of the risk universe. The remaining 300 controls still run on spreadsheets and email.
Continuous monitoring, done properly, changes how compliance evidence is generated: upstream, automatically, as a byproduct of normal operations. That requires rethinking how business processes are documented, how controls are designed, and how audit evidence flows from source systems to assurance frameworks. That's organizational change, not software deployment.
Only 8% of directors report having strong AI expertise on their boards, while 40% say technological developments are the most challenging issue they oversee. The audit committee is being asked to oversee increasingly automated controls environments using evidence they don't fully understand. The 8% are asking the right questions. The other 92% are nodding along.
What Good Looks Like
The organizations doing this well treated continuous monitoring as a program design problem before they treated it as a technology selection problem. They mapped highest-risk processes first. They defined what "evidence of control effectiveness" actually means for each process. They built data feeds from source systems into the monitoring infrastructure before configuring alert logic. They made evidence capture a byproduct of normal operations, not a pre-audit scramble.
And they kept humans in the loop on the decisions that matter, not every transaction, not every anomaly, but the ones requiring judgment.
If your audit function is still primarily operating on a calendar-driven, sample-based model in 2026, you are accepting a demonstrably higher breach probability, less real-time visibility for your audit committee, and increasing regulatory exposure. The vendors will tell you continuous monitoring is the future. They're right. What they won't tell you is that the future requires organizational change the technology alone cannot deliver.
Brian Kuenzi is a leader in the finance and technology space. Brian's experience spans SOX and Audit leadership, finance transformation, process automation, and business operations across both consulting and in-house leadership roles. You can learn more about Brian on LinkedIn.
These are the opinions of the editors of Internal Audit Next and/or the writer who authored this article. Any use of this copyrighted material without permission of Internal Audit Next - including training for AI Models - is prohibited. Copyright 2026.