Risk-based Continuous Monitoring/Auditing – Developments
If you have been reading my blogs and articles, you know I am an advocate of continuous monitoring (CM) and auditing (CA) – in particular when it is designed to provide assurance that business risks are managed and the related controls are operating effectively. While there is value in the detective, after-the-fact identification of defects in transactions, that is looking at the past. Providing assurance on the management of risks through effective controls has a forward-looking perspective. Controls provide comfort that today’s and tomorrow’s risks are managed and activities are and will be performed as intended.
You can download my paper, Continuous Risk and Control Assurance, at https://www.box.net/shared/0zviy39irb.
There have been a few developments:
- a report by the analyst firm Gartner on CA/CM software solutions
- a new publication by KPMG on the topic, and
- affirmation for my ideas.
In March, Gartner released their “Magic Quadrant for Continuous Controls Monitoring (CCM)” report. According to Gartner, “Within the governance, risk and compliance (GRC) marketplace, continuous controls monitoring (CCM) is a set of technologies that assist the business in reducing business losses from fraud or failure to follow rules governing financial transactions, and improving performance through continuous monitoring (CM) and reducing the cost of auditing through continuous audit (CA) of the automated controls in ERP systems or other financial applications.”
According to the report, “The CCM market is far from mature, but the leaders in the market have had a significant presence in the market for many years. They all have strong, market-tested CCM for segregation of duties (CCM-SOD) capabilities and offer CCM for transactions (CCM-T). Their CCM for application configuration (CCM-AC) and CCM for master data (CCM-MD) capabilities are adequate to support primary CCM-SOD and CCM-T functions. When lacking in multiplatform capabilities, they have services and technology partnerships to fill the gap.”
They continue: “SAP® BusinessObjects™ governance, risk, and compliance (GRC) solutions support principles of CCM, enabling companies to lower compliance costs, improve financial governance and improve operational performance. With applications for risk management; access control; process control; global trade services; environment, health and safety management; and sustainability performance management, the solutions help organizations reduce losses from fraud, and comply with rules governing financial transactions. They can also help improve organizational performance through continuous monitoring, and reduce the cost of auditing through continuous audit of automated controls in enterprise resource planning (ERP) systems. SAP BusinessObjects GRC solutions are integrated with SAP BusinessObjects enterprise performance management (EPM) solutions to bring customers increased visibility into their entire enterprise.”
At a later date, I plan to share how SAP’s solutions for CA/CM go beyond Gartner’s scope (for their report) of financial reporting to address the monitoring of risks and controls across the enterprise.
Now to the recently-released paper by KPMG on “Continuous Auditing Reexamined”. You can download it, with my other files, from my LinkedIn profile or at https://www.box.net/shared/etsm9vhvsp.
KPMG performed a survey to determine what is driving implementation of CM and CA. They found that those who have deployed the technique are using it for:
- Fraud detection/prevention – 68% of those responding
- Risk management (risk monitoring) – 50%
- SOX compliance – 40%
- Compliance with policies and procedures – 38%
- Regulatory compliance – 29%
However, KPMG believes that in this economic environment, the more significant drivers for implementation are “stakeholder demands that management improve its governance capabilities to enhance oversight and transparency and manage risk. The same stakeholders also expect management to improve performance and profitability.”
They suggest that “automating risk monitoring (i.e., through CM) in a repeatable and sustainable manner is the beginning for management (and the internal auditors) to move towards a continuous risk assessment process”. This is a key element in my continuous risk and control assurance model (see the paper referenced above).
With respect to performance and profitability, KPMG suggests that “CA/CM can enable organizations to (1) automate controls, processes, and activities to streamline operations and drive efficiencies; and (2) deploy monitoring activities that help them leverage the benefits of such efforts – and prevent them from lapsing back into inefficient patterns”.
KPMG talks about ensuring the CA/CM program is integrated with the assurance program. In my vision of the future, the assurance program is driven to a very large degree by CA/CM techniques – resulting in continuous risk and control assurance.
What I particularly like about the KPMG report is that it focuses on the broader business view and is grounded in risk.
Affirmation for Risk-Based CA/CM
First, I had an article published on “Continuous Auditing Reexamined” in ISACA’s Journal Online (volume 1, 2010), and then I received an award from the IIA for an article on “Beyond Continuous Auditing”, which was published in Internal Auditor in December 2009. It was great to see these acknowledgements from the two professional organizations.
Of course, I continue to speak on the topic of risk-based continuous monitoring/auditing, the latest being at ISACA’s Euro CACS conference in March, in Budapest. As usual, the presentation was well received by practitioners hungry for advice on how to implement continuous auditing at their organizations and, in a few cases, how to use SAP’s technology to enable it. I was especially pleased to meet with the highly respected Hugh Penri-Williams, who is well-known within ISACA, and learn that he used some of my materials in his presentation on “Continuous Auditing – Implications for Assurance, Monitoring, and Risk Assessment” at the IIA’s All-India conference in February, 2010.
As always, I welcome your comments and perspectives.