Webinar Recap: Are continuous controls the new baseline?

Continuous controls are increasingly showing up on CFO and audit committee agendas, often framed as the new baseline. But "the new baseline" can sound like a settled fact, and the reality is more divisive than that. IT and cybersecurity teams have been monitoring in real time for years, while finance, controlling and audit lean on the four eyes principle, where human validation isn't a nice-to-have, but the whole point.

This Compliance. Curated. [Online] session wasn't built to argue for a single right answer. It was an open discussion – one meant to share honest perspectives, add nuance, and work out when continuous controls genuinely make sense, and when they're just hype.

The conversation brought together Tamara Berben, a governance, risk and compliance advisor with an IT audit background, and Carolina Maia de Biagio, Head of Financial Controlling and Compliance at DFDS, the Danish-listed ferry and logistics group. The full session is available on demand here.

The goal

The webinar opened by asking the audience if continuous controls was actually part of their goals. Here are the results:

The answer was a clear yes – but with nuance underneath. Almost two thirds (64%) said continuous controls are a goal, and another 23% are pursuing them in some departments. Only 5% said no, while 9% weren't sure. So the ambition is widely shared. The harder question, and the one the panel spent most of its time on, is what "continuous" should actually mean in practice, and where it earns its place.

The big picture

The honest answer to the question in the title is: it depends. Continuous controls add real value in some places and don't belong in others, and the panel was clear that "continuous" is often confused with full automation. The bigger goal isn't automating everything; it's continuous assurance, where controls stay aligned to a risk picture that keeps moving. Tamara was firm that this isn't automation for its own sake – the aim, as she put it, is "to identify issues earlier, reduce manual effort, and let management make decisions based on current information rather than historical snapshots."

That distinction matters because what "continuous" looks like in IT – real-time monitoring of digital activity – doesn't translate cleanly to finance, where the biggest risks involve judgment, not just data. Rule-based work like intercompany matching, or document checks before a transaction is booked, is a natural fit for automation. Judgment calls like impairment, complex revenue recognition or a lease renewal are not. For Carolina, continuous controls are less a deliberate strategy than a by-product of automating in the first place: "if you have an automated process, you should have the controls embedded in there," she noted.

The panel was equally candid about why ambition so often outpaces reality: legacy frameworks built for annual cycles, fragmented data and ERP landscapes, and a culture that still treats controls as a compliance exercise rather than a management tool. The framework itself also tends to fall quietly out of date as the business changes around it. Carolina put DFDS squarely in that bucket – its internal control catalog has been in place for 10 or 11 years, and after a run of acquisitions, a turnaround and new geographies, she sees now as the right moment to "build a new catalog appropriate for today's risks and today's business, not the business we had a decade ago."

One warning stood out. A dashboard can confirm that a control has ruan, but not whether it was the right control. Tamara reduced it to two different questions: continuous monitoring answers "is the control operating?" – but management and internal audit should still ask "is this the right control for today's risks?"

Key takeaways

• Continuous controls and continuous controls monitoring aren't the same thing – and continuous assurance is the goal worth aiming for.
• It's not all-or-nothing. Automate where the work is rule-based and the business case is clear; protect human judgment where it genuinely mitigates risk.
• Watch for false comfort. A control that runs isn't the same as the right control running effectively.
• Revisit the framework on purpose. The world moves faster than most control catalogs, and keeping them relevant is the step most worth protecting.

Keep the conversation going

This session was part of Compliance. Curated., Impero's ongoing series for finance, tax and compliance professionals. To watch other sessions, check out the full playlist on YouTube. The next stop is Impero's flagship event, Compliance. Curated., on Sept 16-17 in Copenhagen.

To explore where continuous controls fit in a specific setup, get in touch with the Impero team for a walkthrough of how the platform can help.