Home > Risk > Study reports on the Benefits of Continuous Monitoring

Study reports on the Benefits of Continuous Monitoring

Released by the Financial Executives Research Foundation, and sponsored by Infogix, this study on the Benefits of Continuous Monitoring is by individuals with excellent credentials in the area. I have known Professor Sri Ramamoorti for a long time, and as a partner with Grant Thornton he was one of the team that wrote the COSO Guidance on Monitoring Internal Control Systems. Michael Cangemi has been a board member of COSO, representing the Financial Executives International. The third author of this study on continuous monitoring is William M. Sinnett, Director of Research at the Financial Executives Research Foundation.

I recommend the study for its several case studies, examples of companies who have used continuous monitoring techniques to advantage.

The study also drew a number of valuable conclusions about what makes the practice successful.

However, I admit to having some serious reservations about the study:

  • There is a major difference between the monitoring of internal controls, to ensure they function as intended – as described in the COSO Internal Controls Framework (ICF)-  and the monitoring of transactions and other activity to detect errors, higher levels of risk, or potential fraud. Each has value, but they are different. (See links to further discussions at the end of this post).
  • It is interesting that the authors have used definitions from Deloitte rather than COSO.

COSO: “Internal control systems need to be monitored–a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.”

Deloitte: “Continuous monitoring enables management to continually review business processes for adherence to and deviations from their intended levels of performance and effectiveness.‖

“CM is an automated, ongoing process that enables management to:

– Assess the effectiveness of controls and detect associated risk issues;

– Improve business processes and activities while adhering to ethical and compliance standards;

– Execute more timely quantitative and qualitative risk-related decisions; and

– Increase the cost-effectiveness of controls and monitoring through IT solutions.”

  • This paper studies the monitoring of transactions and activity, not so much the performance or reliability of internal controls. Frankly, this form of monitoring is not an activity in the COSO Monitoring component of ICF; these are (pure and simple) detective controls in the Controls Activity component. The value in the discussion is that improvements in technology have made detective controls more powerful as well as easier to deploy and use.
  • A study on monitoring that refers to COSO should, in my opinion, include more examples and discussion of how monitoring of controls can be improved.
  • Any deployment of resources to monitor transactions and activity should be risk-based. While the observations in the report that continuous monitoring technology is often applied to payment activity, this is (in my opinion) more because it is easier to deploy the technology in that area than to build a risk-based monitoring program designed to monitor areas of greater risk to the organization. In other words, I advocate use of this technique where it matters.

For more on this topic, check out these posts:

  1. August 30, 2011 at 10:30 AM

    Norman
    We appreciate your comments and fully agree there is a difference, as you say, between “the monitoring of internal controls, to ensure they function as intended – as described in the COSO Internal Controls Framework (ICF)- and the monitoring of transactions and other activity to detect errors, higher levels of risk, or potential fraud. Each has value, but they are different.” We would also add that there are more reasons to use continuous monitoring even beyond, “to detect errors, higher levels of risk, or potential fraud.”

    As my co-author, Sri Ramamoorti, wrote we intentionally focused our research to continuous monitoring. The research is directed to senior management via the CFO. While all business managers are (or should be) appropriately concerned with monitoring internal control – our research was focused on using monitoring to improve the business processes, as well as, IC. I looked back at the Executive Summary, and the research report, and we tried, and we believed we succeeded in making this clear. However, your comments concern me if, for professionals who are deeply involved in the control community, we may not have made this clear enough!

    As co-author, Sri Ramamoorti mentioned – I outlined my thoughts on what the control community should be doing to expand the engagement of business managers in CM, in my paper last year, “Internal Audit’s Role in CM”, published in EDPACS. This article, which I hope you will direct to your readers as a reference, also states the difference between continuous control monitoring and the higher level CM.

    I tend to come at this subject based on my career experiences. It included a long deep dive in the control community – however, I eagerly sought out a business manager role – and strongly believe you first have to address the business and business processes, and then layer on control assessments. In my role as a CFO and later a CEO I learned firsthand about the bigger picture of living with the responsibility for satisfying a customer’s need (Peter Drucker – purpose of a business), creating profits and ROI, while creating job opportunities and the best working environment possible. Therefore it was natural for me to start this research above the control elements of a business.

    I had an early and sustained interest in “the business” and had a larger strategic view, even when I was in the control community (Public Accountant, CAE). Even so I also understood the need for controls and risks methodologies expressed in COSO, other frameworks and blogs. We (the authors) believe CM has strategic business importance, which is supported by most of the companies we studied. Many business managers do not look at the business through the lens of a framework like COSO. This in no way implies the view through COSO is not appropriate.

    I don’t disagree with any of your comments under – “serious reservations” – however they are centered on continuous controls monitoring – which is a subset of CM, in our view. CM may be in many cases, as you say “just a detective control” – however, we are trying to focus senior management on the need to use CM to improve their business – and business processes. We tried to make this point with the example which addresses business reputation, as well as, satisfying a customer’s need, as follows:

    “A good example is a letter to the editor of The New York Times in 2010. A cell phone customer traveled to Mexico on a vacation. Her cell phone would not work there, but she used it at her departing airport in the U.S. On her return, she realized she had lost her phone. She received a bill from the cell phone company for over $2,000 in primarily fraudulent usage.

    Her letter stated that she was surprised that a technology company, like a cell phone provider, would not be monitoring her usage, which had been in the $70 range for years. What does continuous monitoring have to do with brand image? This woman and her widely read letter are doing two things, one she is confirming that the customer expectation is that companies they work with should use technology to deliver better service, and two, if they don‘t, their reputation will suffer. Remember what Warren Buffet said: ―It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”

    Hence – the suggestion, that senior management view CM as an advancement of their business process – like how customers have come to expect the Federal Express standard – know where your package is, by monitoring. We are trying to find a way to get SM interested in and more supportive of the concept of monitoring. This should help the control community too when they suggest more intelligent automated monitoring of controls! However, we believe that CM can satisfy a customer’s need, in this case senior management’s need for using automated CM to improve their business processes.

  2. August 30, 2011 at 11:39 AM

    The research team identified a number of key findings from this research:
     CM Deployment: Leading companies recognize the importance of Monitoring,
    and are effectively deploying CM across functions and departments. They
    recognize how CM can be a precondition for achieving superior corporate
    performance as well as governance outcomes.
     Resourcing CM Initiatives: Continuous Monitoring programs require a
    company focus and a commitment of resources. Some companies
    mentioned the need for Return on Investment (ROI) estimates, but others
    look beyond monetary justifications and focus instead of operational
    effectiveness and risk reduction.
     Need for CM Champion: Continuous Monitoring programs need a Champion,
    preferably at a senior executive level, because resources will be required.
     Internal Audit as Evangelists: Although CM is a business operations issue,
    Internal Auditors (IAs), due to their familiarity with Continuous Auditing (CA),
    often become the champions of CM programs.
     CM of Payment Streams: CM is often initiated in payment-related areas, such
    as Accounts Payable and Claim Payments, in which, due to cash recoveries,
    the ROI can be estimated.
     CM Software and Tools: There are many new CM software products available
    that have improved capabilities and lowered the cost of using CM.
     Expanding Applications: For all of the companies that launched a CM initiative,
    there was a keen desire to expand the application beyond the initial
    sponsoring department or division, as well as move up the maturity curve.
     Benchmarking: Each company in our sample was curious to learn more about
    CM is deployed in other environments and industries with a view to improving
    their own processes. This was also a prime reason for their participation in
    this research.

  3. Norman Marks
    August 30, 2011 at 4:59 PM

    Michael and Sri,

    I hope you know that I have great respect for each of you, and I appreciate your comments.

    My problem was I think caused by your early reference to COSO and its use of the term “monitoring”. Perhaps it might have been better if you had not talked about that, which is about the monitoring of controls. But, I do understand what you were trying to do, and commend you for explaining the value of what I would call CM/T – as distinct from CM/C.

    I might also have suggested that the use of CM/T should be viewed as a part of a combination of controls over risks, and it can be used effectively as a detective control:
    (a) to replace manual controls
    (b) to replace more expensive automated preventive controls, where the risk is low
    (c) to supplement preventive controls where it is critical to prevent what you can, and detect any leakage.

    Best
    Norman

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: