Editor's note: This is from a May 31, 2006 RFG Research Brief entitled "Sustainable Compliance 101: Continuous Controls Monitoring" by lead analysts John Van Decker and Sara Braunstein

Client Challenge: As firms move into the third year of the Sarbanes-Oxley (SOX) compliance era, senior executives in finance, IT and other lines of business (LOBs) are focusing on sustainable and affordable effectiveness in internal controls surrounding critical business processes. RFG received an inquiry from a client that is challenged with making processes compliant, for fewer dollars and more quickly. The company is trying to determine what to prioritize in terms of making business processes and applications compliance-proof, and wonders if there are any low-hanging fruit that can provide significant business value without major investment. RFG recommended continuous controls monitoring (CCM) solutions to this client, to aid it in meeting The Committee of Sponsoring Organizations of the Treadway Commission (COSO) requirements for financial transactions.Recommendations: Despite recent promises from the U.S. Securities and Exchange Commission (SEC) and the Public Accounting Oversight Board (PCAOB) for clearer guidance for Section 404 compliance, audit committees, internal auditors and other senior parties must seek continuous compliance without wasting resources. According to a recent Financial Executives International (FEI) survey, many firms are hopeful that the SEC will allow auditors to rely more on internal process management that ensures compliance of key financial processes.

Technology can play a valuable role in meeting this challenge. Yet, management is rightly skeptical about the claims of the growing roster of software vendors promising "everything the CFO needs for SOX compliance." There is no technological silver bullet for either initial or sustainable compliance.

A recent applications space referred to as continuous controls monitoring (CCM) provides a means of ensuring effective 404-related controls. In addition, CCM supports management in mitigating operational inefficiencies, pinpointing fraud, and reducing financial errors. Although CCM is similar to audit software, it addresses the compliance problem as an enterprise solution, rather than software specifically for the audit department.

CCM software products, such as those from ACL Services Ltd., Horwath Australia Ltd. (IDEA), Infogix, Inc. and Oversight Systems, Inc., can be extremely valuable in supporting the audit function in the SOX 404 environment. These solutions automate the process of probing for anomalies and fraud risk exposure within financial processes and procedures. As forensic tools for discovering the "paper trail" of suspected or known frauds, these products take the audit process, once reserved exclusively for internal and external audit, and repurpose it as an ongoing continuous monitoring enterprise application. As a continuous monitoring tool, it can identify a problem that is in the transaction channel, often before it can create havoc with financial reporting. As a firm becomes more aware of errors earlier in the process, there is an opportunity to correct those problems before they become material.

CCM applications continuously monitor financial and operational transactions associated with specific business processes, and flag those transactions that are inconsistent with the controls that govern the process, and are therefore potentially fraudulent. As such, these solutions can measures the effectiveness (or deficiencies) of internal controls necessary for proper 404 compliance.

The key to any enterprise application is in its configuration and how it is integrated into the business process. This is the same with CCM. When properly configured, CCM software thoroughly monitors individual financial transactions from one operational phase to the next, often flagging fraudulent anomalies before the transaction is completed. The following are representative of the scope of CCM functionality in applications today.

  • Accounts payable (A/P) tampering
  • Bogus invoices, refunds or travel and entertainment (T&E) expense claims from customers, employees or vendors
  • Duplicate payments, missing allowances and over-payments
  • Fictitious employees on the payroll
  • Fraudulently booked commissions
  • Phony ("ghost") vendors that invoice the company for payment

In addition to the above functionality for these solutions, CCM can help with the following.

  • Enable timely notification of control weaknesses.
  • Improve operational efficiency and profitability.
  • Monitor financial transaction integrity across company departments.
  • Provide audit evidence.

Closely related to the potential for improving operational efficiency, CCM can identify internal control weaknesses and report them to management promptly. This allows for quick remediation, and in turn, reduces losses due to fraud, error or operational inefficiency. CCM's continuous monitoring for fraud and control weaknesses results in less waste of human and financial resources and improved profit performance. By independently testing controls through financial transaction analysis at the source level, CCM is able to demonstrate the viability, or lack thereof, of controls and financial transactions company-wide. In helping to streamline ongoing SOX compliance, CCM generates a thorough audit trail of control testing, to validate that controls are working or whether they require refinement.
Below are some specific examples that enterprise executives should consider.

  • General ledger (GL)
  • Order-to-cash
  • Purchase-to-payment

CCM is well-suited for screening duplicate, missing, restricted, unauthorized or otherwise suspicious journal entries. It also supports control of journal entries within the GL but outside of the enterprise sub-ledger system. Such adjustments must be validated independently of the GL system controls, to ensure that the transactions are booked to the appropriate accounts.
Properly configured, CCM monitors for fraudulent events in this process by ensuring that the company is conducting business only with approved customers or in compliance with established credit limit policies.

Automation of A/P purchasing operations has been a high priority for many large companies in recent years. Without continuous A/P transaction oversight, opportunities for crimes such as creation of sham corporations, duplicate payments, vendor fraud, etc. are significant. In addition to flagging crimes such as intentional billing "errors," shipping orders without invoices, etc., CCM ensures accurate management of journal entry timing - especially pre- and post-close entries.

Now in its third year of market maturity, firms are beginning to have choices in how to select CCM products. Clearly, there is an opportunity to try to tackle this through an incumbent business intelligence (BI) tool, such as those offered by Business Objects SA or Cognos, Inc. The difficultly will be to design the processes in the applications to take advantage and continue to keep up with leading audit and controls best practices.

Pricing for CCM solutions is consistent with that of a best-of-breed enterprise application. One can expect to pay $100,000 to $300,000, depending upon the size and scope of the implementation. When the space develops, there will also be more innovation from the vendors, as competition increases and products maintain state-of-the-art status.

Many of the standard vendor evaluation criteria should be considered when evaluating a CCM solution provider. These criteria include the following prioritized critical areas.

  • Rate each vendor on the basis of its application's incorporated best practices and user friendliness. In addition, be sure that the vendor's tech support meets the company's needs, especially if the organization is geographically decentralized and requires global support.
  • Assess the vendor's implementation service capability, whether it is through an internal professional services group or implementation partners. Since this requires little process reengineering, partners will only be required when the implementation is part of an overall compliance strategy. Enterprise executives should also be certain that the vendor can customize its application directly or through a network of authorized partners. RFG recommends that organizations request customer referrals about their experience with the vendor's implementation process.
  • Research the vendor's financial viability. In addition, companies should review analysis and opinions about vendors by leading IT advisory/research firms such as RFG. Finally, enterprise executives should try to obtain reliable data about the vendor's market share, growth history and expansion plans.

Summary: Effective regulatory compliance is a continuous process. Organizations must manage it as such by acquiring technology that ensures compliance is cost-effective and sustainable, and that adds value through business performance improvement. When evaluating a CCM vendor, enterprise executives should not only ensure that the vendor's application meets functionality requirements, but that the vendor's implementation service and financial viability are also sound.

Commentary: RFG Research Notes provide concise, high-level analysis and recommendations on specific topics of interest to enterprise IT executives. The Notes also provide a framework for further detailed Inquiries by RFG clients, and for follow-up presentations and workshops by RFG research staff available to all interested IT decision-makers. For more information, contact Client Services by telephone at (203) 429-8950 or by e-mail at clientservices@rfgonline.com.

For more information visit www.rfgonline.com.

    Register or login for access to this item and much more

    All Information Management content is archived after seven days.

    Community members receive:
    • All recent and archived articles
    • Conference offers and updates
    • A full menu of enewsletter options
    • Web seminars, white papers, ebooks

    Don't have an account? Register for Free Unlimited Access