I want to describe a scenario that happens in every SOX programme I've ever seen — including the ones run by the best teams at the best Big 4 firms.
An auditor tests the journal entry approval control. She selects 60 items from the population using random sampling. All 60 have proper approval. The control passes. She signs off. The workpaper goes in the file.
What she doesn't know — and can't know, given the constraints of sample-based annual testing — is that the CFO's system access was misconfigured for 3 months during the year, allowing journal entries up to $500K to post without secondary approval. None of those entries appeared in her sample. The control effectively failed for 90 days. The financial statements were at risk for 90 days. And the audit gave it a clean pass.
This isn't a criticism of the auditor. She followed PCAOB standards correctly. The problem is the standards themselves — designed for a pre-AI world where continuous testing was operationally impossible. That world no longer exists.
A sample of 60 items from a population of 10,000 gives you 95% confidence about those 60 items. It tells you almost nothing about what happened in the 9,940 items you didn't review. If control failures cluster in certain periods, certain user accounts, or certain transaction types — sampling can miss them entirely.
Controls change. System access gets granted and revoked. Approval thresholds get adjusted. Personnel change. A control that existed on September 15th when your external auditor was on-site may not have existed in the same form in March. Annual testing captures a moment. Continuous monitoring captures the full year.
Six months between a control failure and detection is a material risk window. In that time, financial statements could be misstated, fraud could go undetected, and regulators could ask questions that nobody can answer.
Continuous monitoring gets described as a spectrum. At the simple end: running the same test procedure more frequently (monthly instead of annually). At the sophisticated end: automated monitoring rules that run 24/7, test 100% of the population, and flag exceptions the moment they occur.
The practical approach for most organisations sits in the middle — and it's more achievable than most audit teams think.
For controls with a clear data signature — journal entry approval, user access, three-way match — you can automate the test and run it on any schedule. These don't require AI. They require a query that runs against your ERP or access management system and flags exceptions automatically.
Examples:
This is where AI changes what's possible. Instead of running pre-defined queries against known risk scenarios, AI monitors for patterns that deviate from normal — without you having to specify exactly what "normal" looks like in advance.
Example: Your journal entry approval control normally shows a distribution of ~200 entries per week, with 95% approved within 24 hours. In week 34, the system flags that approval time spiked to 72 hours for entries from one business unit. Nobody programmed that specific check — the AI detected a deviation from baseline. The auditor investigates and finds the approver was on leave with no backup designated. Near-miss averted.
The logical endpoint of continuous monitoring is direct integration with your systems of record — ERP, HRIS, identity management — so that every transaction, every access grant, every system change is evaluated against your control framework in real time. When something fails a control, an exception is created automatically and routed to the right owner.
This is operationally complex and expensive to build from scratch. It's what the next generation of GRC platforms — including AssurAI's Continuous Monitoring module — is designed to deliver as a configurable, out-of-the-box capability rather than a custom engineering project.
The biggest barrier to continuous monitoring isn't technology. It's internal resistance from audit teams who see it as more work, not less. The right framing is the opposite: continuous monitoring means your annual test becomes a confirmation, not a discovery. You already know what the full year looked like. The audit is just signing off on the conclusion.
Here's a practical path for any team:
The annual audit cycle isn't going away immediately. PCAOB standards still require periodic sampling and substantive testing. But the teams that add continuous monitoring on top of annual testing are the ones who stop being surprised by what they find — and start being the people who find things before anyone else does.
That's the goal. Not more audit work. Smarter audit coverage, applied where and when it matters.
AssurAI Continuous Monitoring is available now — connect your ERP, identity management system, or upload CSV data. Build monitoring rules in plain English, run them on any schedule, and get AI-summarised exception reports. Try it here →
Shakeel Hussain Khan is the founder of AssurAI and a Chartered Accountant with 25 years of GRC leadership experience. He has built and run internal audit functions at both Big 4 and Fortune 500 level.
Join 200+ internal audit and compliance professionals already using AssurAI.