A variety of processes to control various types of risks should be measured and/or monitored on a real time or near-real-time basis.  Many of these processes are system controls, manifested as programmatic blocks, gates or flags. Some gates define acceptable tolerances or thresholds (which if exceeded, flag investigation or remediation processes), while others specifically block certain actions or conditions (such as prohibiting persons with particular roles from having conflicting system access rights, or specifically blocking unauthorized file downloads).

Other continuous assurance controls employ separate applications that might interrogate data or information (log files, transaction logs or possibly real-time information) with predefined sets of business rules that look for and flag conditions that warrant investigation. This includes items ranging from segregation of duties to biometrics (such as face screening of passengers entering airports).

Finally, some individuals may actually "perform" controls and validate their result. This may include daily reconciliations of bank statement balances, or physical walk-throughs of high risk facilities such as airports or nuclear power plants to provide continuous assurance for physical risks.

An organization should monitor responses and control activities for on-going relevance and effectiveness. Ongoing monitoring should be built into the organization's operating activities and performed on a continuous and real-time basis. Effective monitoring activities dynamically adapt to a changing environment.

Principles
> Mix of "push" and "pull" structures
> Mix of automated and manual procedures
> Analysis of control information