The current economic climate has presented many major headaches for employers. One that is discussed less often than reduced sales and higher operating costs is the increased risk of employee fraud. The elevated risk of being made redundant, or the frustration of having salaries frozen (or even reduced) for the foreseeable future, can make previously loyal staff search for control gaps in a business process that can be exploited for their financial gain. In addition, poor security and inappropriate levels of system access can lead to increased opportunities for users to perform fraudulent activities that can ultimately result in inaccurate financial reporting, or even material misstatements.

In striving for compliance with regulatory requirements such as Sarbanes-Oxley, many enterprises have already made significant strides in mapping their financial processes. These include identifying risks to the accuracy of financial reporting, documenting the internal controls (both business process and IT) necessary to mitigate these risks, and operating these controls as required to ensure compliance. However, the path to compliance is not without cost. The extensive resources needed to design, develop, operate, test, and assess compliance control points have resulted in significant financial burdens for most organizations.

The initial achievement of compliance is just the beginning. Compliance is a continuous journey and after attaining an acceptable level of compliance through the implementation of a compliance and control framework, significant ongoing resource costs are often required to maintain compliance and ensure that internal controls are operating effectively. Often, many companies lack the internal resources or skill sets to maintain compliance, and they must continue to rely on external facilities to support on-going compliance activities, which further increases cost. However, it remains a necessary evil to meet regulatory requirements and prevent fraudulent activities from affecting the financial statements. The answer lies in finding a way to streamline this process.

Operating and Monitoring Controls — A Manual Burden

Organizations with a robust compliance and control framework have a number of internal controls that they need to operate on a regular basis. For example, detective reports run at the end of each monthly payroll to ensure there has been no duplication of payments.

Although many companies have automated some of their controls, most controls remain manual and need to be proactively operated by the control owners themselves. For example, controls that act as checkpoints within a process (such as approval required for a user provisioning request) tend to be manual in nature and need to be performed on an as-required basis. In contrast, controls that are based on system parameter settings (e.g., configuring a three-way match requirement between invoice, purchase order, and goods receipt to prevent payment of potentially invalid invoices) are likely to be automated and so, once set up, operate automatically. Despite this, the subsequent periodic review of reports highlighting unmatched invoices needs to be performed as a manual control to resolve and clear these items.

In addition to manually operating these controls as required, you must also perform manual checks to verify that the controls are working (rather than this being a non-tested assumption). This controls monitoring helps measure the potential gap between theory and reality. Without such monitoring activities, controls could be changed without the owner’s knowledge and compliance would no longer be achieved.

Despite their investment and dedication toward compliance initiatives, many organizations don’t have the necessary resources to evaluate the operational effectiveness of their internal controls on a frequent basis and therefore lack confidence in their ability to pass controls testing. It also means they rely on feedback on issues from their external auditors, which is clearly not a desired route. In addition, required corrective actions will not be timely enough to prevent issues being raised in the auditor’s internal control report.

What Is CCM and Why Use It?

Asking five different companies to define continuous controls monitoring (CCM) will provoke five different responses. There is no singularly accepted definition and consequently it can cause confusion among organizations seeking further information when considering a CCM solution. However, despite this lack of uniformity, there are general concepts that remain constant and help provide clarity regarding the practical application of CCM and its undoubted benefits.

CCM is essentially a technology solution for continuous monitoring that provides users with real-time status assurances for all of their compliance control points. Within SAP systems, the technology involved can range from capabilities in SAP BusinessObjects Process Control to creating custom ABAP programs for your SAP ERP system. The more advanced controls, including event-driven and periodically run rules, as well as a complete audit trail of what actions were taken, are available in SAP BusinessObjects Process Control.

For example, you can configure a rule that triggers an automatic review of the payment run output and sends results to the manager responsible for monitoring duplicate payments. Any exceptions are flagged in the control output and then reviewed by the control owner for relevant action. The automation of the control now means that the manager does not have to actively perform the review and is only alerted when required, with subsequent reviews based on exceptions only. This reduces the burden on the control owner, who can then perform more value-add activities and help deliver significant business process improvements.

For controls to be included in a CCM solution, they need to be automated, as in the previous example of converting the manual operation of running a report every month in the business application and reviewing it to identify duplicate payments — even if none actually exist — to an automated control. You can achieve this by linking a rule to an executable program that automatically runs this function periodically (or as required). Therefore, you can assign manually driven controls to a program within the business application system with relevant rules applied, and schedule the control as appropriate from within the CCM system, where the results and alerts are also recorded (Figure 1).

Figure 1

Integration between CCM and business application

Controls based on system parameter settings are already automated and configured in the application. In this case, the related control to be implemented for a CCM solution is a program in the business application system that notifies the control owner in the CCM system if any of the parameter settings have been changed. This ensures that the control is still operating as designed and hasn’t been changed unknowingly. This control is event driven and so the control owner is alerted by exception only. An example of this is the configuration of system password parameters, as these settings ensure strong system authentication controls are in place. You can use CCM to monitor the various parameter settings related to password controls, and any changes made to these settings are automatically flagged to the security administrator. Therefore, any unauthorized changes can be identified and corrected immediately, without compromising the security of the system.

It is evident that CCM can have a significant return on investment (ROI), so it should be straightforward to create a business case for its implementation. There are two main types of ROI for a CCM solution. The first is the significant time and labor costs saved due to the automation of either the operation or testing of controls. By automating, people can be reassigned to more productive operational tasks. Secondly, there are potentially huge returns by enabling monetary recovery or preventing monetary loss due to human error or fraudulent activities.

For example, a company may have a supplier that is billing two different divisions for the same goods or services. This may be due to a simple mistake by the supplier, or it could be intentional and therefore classified as fraud. If duplicate invoicing occurs and there is no CCM solution in place, the company may have to rely on manual controls to detect these duplicate invoices, which can lead to undetected exceptions and result in a control failure.

What Is the Scope for a CCM Solution?

In the past, CCM has been primarily focused on transactions, but some solutions, such as SAP BusinessObjects Access Control and SAP BusinessObjects Process Control, allow you to monitor all financial (and non-financial) transactions for compliance with internal controls. However, master data and application configuration (sometimes referred to as application controls) are also an integral part of CCM as control weaknesses in these areas can lead to incorrect transactional data.          

For example, transactions related to the payment of invoices are generated by a program within the business application. However, this program relies on input from both application configuration (e.g., invoice tolerance thresholds) and master data (e.g., vendor bank account details in the vendor master record), as they determine whether the invoice should be paid in the first place and the relevant account that should receive it.

You can change both application configuration and master data, but the objective is to ensure that they are being changed in an authorized manner using the appropriate procedures and control points, and not due to human error or fraudulent intent. For a business process to operate effectively, the process or data owner needs to validate that changes to their system parameter settings (many of which are documented as controls) or master data are correct.

You can also use CCM to support segregation of duties (SoD) processes. Organizations can harness SoD analysis technology such as SAP BusinessObjects Access Control to automate the process of analyzing and monitoring SoD and sensitive access exceptions, remediating exceptions, and analyzing ongoing user access changes to prevent new risks. You can then integrate CCM tools such as SAP BusinessObjects Process Control to automate the documentation and review of mitigating controls where removal of access is not possible. The net result is reduced risk, fewer cases of human error, and less internal fraud.

Continuous Auditing and Control Self-Assessments

An automated control framework also facilitates a more effective and efficient way of testing the operating effectiveness of these controls. It is critical for the effective operation of a control and the ongoing prevention and detection of fraudulent activities in the system that the control owner periodically validates that the control is still operating as designed. This is known as a control self-assessment. Because this task has previously been labor intensive, time consuming, and costly, the tests of operating effectiveness end up being performed solely by internal and external auditors, rather than the control owners themselves.

Such audit reviews can also be time consuming for control owners as they have to extract reports and evidence requested by auditors as they select samples and test them for compliance and accuracy. In addition, sampling risk — the possibility that exceptions may exist in the untested part of the total population — is still an issue, and will continue to be if manual testing methods are used, as it is not possible to try all occurrences of a control over a given period.

CCM makes all of this relatively easy. For example, while a manual control such as the approval of user provisioning requests previously required an audit of 30 historical transactions, you can test automated controls using a black box positive-negative test approach with just two theoretical transactions to prove that the continuous monitoring control and the program logic behind the control are working properly. For example, if there is a control that monitors changes to password parameter settings, you would expect the control to be executed and the system administrator to be notified of the change when a password parameter setting changes. A black box positive test would be to change a password parameter setting and ensure that the relevant output is created (i.e., notification of the change to the relevant person). A negative test would be to ensure that changes to parameter settings do not cause a notification to be sent. Figure 2 shows an example of this in diagram form.

Figure 2

Black box testing

Additionally, if auditors want to dig deeper, they can also review the audit trail retained in the CCM system, which lists all occurrences of that control, all exceptions encountered, and whether the control owner dealt with those exceptions in the appropriate manner (which is another typical audit concern).

Therefore, the continuous monitoring of controls also has the potential to significantly change the landscape for the internal auditor. Internal audits test the existence of a control and gather evidence of it being operated. However, CCM means that the control has already been defined and implemented, with a full audit trail of the control’s operation. Although internal auditors still will have to spend some time auditing around a CCM system, they will have increased time with which to take a more strategic approach to the organization’s risk management.

For example, internal auditors can perform valuable tasks such as reviewing the risks surrounding their organization and making sure all of these are covered by the internal controls in place. Internal auditors may also be able to include other systems and processes that they have not previously had time to audit. These may be operational reviews that help management to improve efficiency and costs, rather than merely focusing on meeting compliance and industry regulations.