Key Insights:
Three weeks into control testing, the senior is still pulling screenshots from the client's ticketing system because nobody trusts the exception report. By the time substantive testing starts, the budget is half gone and realization is already a partner-level conversation. Strong client continuous monitoring shrinks that scope. Firms helping clients build it spend less time on detailed testing and open up advisory revenue. This article covers where continuous monitoring sits across major frameworks, how it affects audit scope, what inspection results show about control testing gaps, and why the shift toward continuous assurance matters now.
Continuous monitoring and continuous auditing get used interchangeably in client meetings, but they describe different work owned by different teams. Here is the split:
Same techniques, different owners, different objectives.
The major standards bodies draw it cleanly. Continuous monitoring sits in the first line, operational management, and the second line, compliance and risk management, with internal audit providing continuous assurance as the third line. ISACA frames it the same way. The two activities are distinct but coordinated, and in practice, you move toward continuous assurance by testing both new transactions and the first- and second-line CM programs themselves. Other frameworks shape this differently, and those distinctions affect how you scope the work.
How monitoring shows up depends on which framework the client maps to. COSO, the internal control framework most financial audit clients use, treats monitoring as part of the control design. It's one of the five required components, and the framework expects ongoing evaluations, separate evaluations, and a defined path for handling deficiencies.
NIST, the federal IT and cybersecurity standards body, narrows the lens. Its continuous monitoring definition centers on information security, vulnerabilities, and threats feeding risk management decisions. That fits federal frameworks like FISMA and FedRAMP, and it sits apart from the broader operational and financial definitions IIA, ISACA, and COSO use. Same word, two very different programs underneath, depending on which framework the client maps to.
A client running strong CM gives the audit team less to retest from scratch each year. ISACA's three-lines guidance puts the inverse relationship plainly: more management monitoring, less detailed control testing on the audit side.
That relationship has a commercial side. Firms that help clients build the CM program reduce their own testing obligation next cycle and open up a more differentiated service line. The maturation path runs predictably: audit teams build a new monitoring metric, hand it over to management, and move on to the next one. Over time, the engagement shifts from testing transactions to testing the monitoring infrastructure itself.
Not every firm has captured that compression. PCAOB inspection data shows where the testing gap still lives. The reports don't track "continuous monitoring" as a named deficiency category, but the AS 2201 issues they flag year after year are proxies for it. The top of the market is improving on those proxies. The middle is not.
The 2024 inspection cycle shows overall Part I.A deficiency rates dropping from 46% in 2023 to 39% in 2024. Big Four U.S. firms moved from 26% to 20%. Non-affiliated firms, generally those without a global network, are still sitting at 52% for the annually inspected cohort and 61% for triennially inspected firms.
That spread is the story. The underlying deficiency types point directly to where control testing tends to break down on the engagement.
Three deficiencies show up again and again across recent inspection reports:
Each is also where tightening a client's monitoring program pays off fastest. The same control evidence that helps client management see issues in close to real time gives the audit team a stronger basis for its conclusions.
Inspections capture what went wrong on a single engagement. The new quality management standards target the firm-level systems that let those breakdowns happen in the first place.
Firm-level monitoring used to be a leading practice. The new quality management standards make it a baseline requirement for every firm. The PCAOB adopted QC 1000 in May 2024 with an original effective date of December 15, 2025. The Board postponed it to December 15, 2026 after firms flagged implementation challenges they couldn't meet on the original timeline. The AICPA's SQMS No. 1 is already in effect as of December 15, 2025, requiring firms to design, implement, and continuously monitor a risk-based quality management system with an annual evaluation of effectiveness. Either way, the direction is fixed: ongoing monitoring of the quality system itself, well beyond engagement-by-engagement review.
The same shift is happening at the engagement level. Annual or quarterly testing captures a single moment, and that picture gets less representative every time the client's transaction volume or system footprint grows. Manual periodic testing cannot scale to match, and the gap between what the binder shows and what the business actually does is exactly where technology-enabled continuous assurance earns its keep.
The broader market is moving in this direction. Continuous assurance tools analyze data from disparate systems to flag anomalies like duplicate payments, control failures, and potential fraud. These tools are most valuable when they augment practitioner judgment and raise service quality, not when they get pitched as time-savers. The technology exists. The open question for firms is which framework to use to structure how it gets deployed.
NIST and COBIT each offer a tested operating cycle, so firms do not have to invent one from scratch. For IT audit and FedRAMP work, NIST SP 800-137 lays out a six-step continuous monitoring cycle: define the strategy, establish metrics and monitoring frequencies, implement collection, analyze and report findings, respond, then review and update. That cycle feeds the Monitor step of the seven-step NIST Risk Management Framework, where most federal-facing programs already anchor their assessment cadence.
COBIT covers similar ground from the governance angle. ISACA's continuous assurance and monitoring guidance walks through identifying and prioritizing risks and the controls tied to them, translating management practices into testable criteria, and matching each assertion to the right testing technique. Most of that work lives in COBIT's MEA (Monitor, Evaluate, and Assess) domain, with additional focus areas covering information and technology risk and information security. The framework that fits the engagement type tends to shape the rest of the design.
More coverage does not mean less judgment. As data analytics and automation expand reach, population-level testing is becoming common in tests of controls and substantive procedures, in place of pure sample-based work. Wider coverage changes what gets tested, not who decides what the results mean. Critical thinking remains central to sound decision-making, and AI raises the standard for professional judgment rather than replacing it.
Adoption is climbing on both sides of the engagement. Clients are spending to handle more complex compliance work. Audit and advisory firms are spending to handle more sophisticated analytics. The data shows the maturity gap underneath the spending. The 2025 Global Compliance Survey from PwC, polling 1,802 executives, found 85% saying compliance requirements have become more complex over the past three years. Nearly half (49%) are already using technology for 11 or more compliance activities, compliance and transaction monitoring sits in the top three use cases at 75%, and 82% plan to invest more in at least one technology to optimize compliance work.
Inside internal audit, adoption is real but uneven. Deloitte's 2025 survey shows 62% of internal audit functions planning investments in data analytics and nearly 40% of chief audit executives planning GenAI investments. The maturity gap is the headline: 82% of functions report increased impact, while only 14% believe they have reached their full potential.
That same pattern holds in the broader market. KPMG's AI survey of 1,800 companies across 10 countries shows most organizations sitting in the "Implementer" phase rather than "Leader." About four in ten firms above $10 billion in revenue qualify as Leaders, compared with less than half that share among firms under $5 billion. How fast firms close that distance is what the next few years will measure.
Fieldguide is an AI-native platform for audit and advisory firms that brings control testing, evidence management, and engagement quality oversight into one place. It supports engagement work across scoping, evidence collection, control testing, and reporting, with Field Agents that execute work while practitioners review, judge, and advise. Half the top 100 US CPA firms use Fieldguide, including members of the Big Four. Request a demo to see how it works across audit and advisory engagements.