I recently wrote about the importance of continuous monitoring of processes to improve management effectiveness (see “Time for Increased Automation of Enterprise Risk Management”) Using automation for continuous monitoring substantially reduces the risks of fraud and process errors and does so in a cost effective manner. Although monitoring initially gained attention as a Sarbanes-Oxley compliance mechanism, there are other important reasons for implementing these sorts of mechanisms beyond regulatory compliance. Indeed, they go back to the basics of financial governance and controllership.
Budgets, multiple invoice matching, vendor and customer credit approval processes, separation of duties and the like are all part of the broad effort to ensure that an organization’s resources are spent wisely according to an approved plan and that the organization is not defrauded by anyone on either the inside or outside. Companies hire external auditors to attest to the correctness of their financial statements and in larger and some midsize organizations, there usually are internal auditors that provide ongoing oversight to prevent fraud or misallocation of funds.
Beyond fraud, there are the issues of errors and misuse. While not routine, companies often make duplicate payments to suppliers which may or may not be caught, may payments to vendors that have not been approved or pay the wrong amount. Budgets are not always spent appropriately, especially when it comes to travel and entertainment.
Initially, computers were a threat to financial governance because they eliminated the ability to apply once traditional forensic techniques (such as the physical alteration of paper records). Worse, early computer-based accounting systems were difficult to audit or control, which led to a large number of highly publicized frauds. (For example, in more than one case clever bank employees skimmed off the fractional cents from interest paid to depositors and swept it into their own account.) However, as they have become more powerful, and as the scope of process automation in companies has broadened, it has become much easier to use computers for continuous monitoring.
One vendor worth highlighting in this area is Oversight Systems. Its software provides continuous monitoring of end-to-end processes including order-to-cash and procure-to-pay, travel and entertainment, purchasing card outlays and accounting (such as a missing recurring entry or suspicious patterns or misattribution of capital or operating expense items). Continuous monitoring of specific business processes automates the same sort of tests and application of rules-of-thumb (heuristics) that an auditor or forensic accountant would apply. Because these are applied to every transaction and, owing to the nature of IT systems, can be even more effective at spotting patterns, there are fewer “dropped balls” and faster discovery with less human effort. Resolving issues and preventing them from occurring takes place sooner. Their systems keep track of where issues are in their resolution process and maintain an audit trail of who signed off on what and when. Even better, the continuous monitoring is available in a software-as-a-service configuration, meaning that there it requires a limited up-front investment and does not require ongoing internal maintenance and support. Oversight Systems provides this range of capabilities through the application of analytics on an audit data warehouse that integrates data from applications and systems across the enterprise. The application provides dashboards so that anyone who needs to can easily keep tabs on what’s happening and quickly determine when conditions require their attention.
Continuous monitoring ought to be a core part of a company’s GRC efforts across finance, operations and IT. Unfortunately, although I think a large number of companies, government entities or other organizations might find automated continuous monitoring systems cost effective, they may never consider it. Many senior executives either are not aware of it or do not understand the breadth of its potential benefits. They may therefore regard continuous monitoring as a low priority, especially if its natural internal advocates – the controller or internal audit staff – do not have much influence. I think controllers and CFOs in particular should become familiar enough with continuous monitoring to make an informed judgment on whether it would be useful and cost effective. Unfortunately many organizations think a continuous monitoring system will have to be custom built or require long consulting cycles. On the contrary, Oversight Systems has made it easy to get started and substantially improve your company’s governance and control without long IT implementations.
Let me know your thoughts
or come and collaborate with me on Facebook, LinkedInand Twitter.
Regards,
Robert D. Kugel - SVP Research
