by: John Verver. 

Financial and operational transactions are increasing in volume and complexity every day. Organizations now find themselves struggling to maintain the minimum required controls expected of them in a new, increasingly regulated, business environment. The traditional audit process is intended to provide assurance that control systems are adequately designed, and within a specific timeframe, operating effectively. However, the audit process typically occurs significantly after the transactions are completed, and is rarely able to test all transactions in a comprehensive way for controls compliance. Therefore, there is a significant risk to many organizations that errors and fraud occur and remain undetected, resulting in a negative impact to their bottom line.
An important component of successfully managing the risks inherent in many of these control systems lies in the ability to monitor transactions independently and continuously close to the point at which they occur. Data analysis technologies capable of continuous monitoring that run alongside operational applications systems can add an additional control layer and improve the process of checking compliance with controls and exception reporting.
Pockets within the audit and control profession have discussed the concept of continuous monitoring for many years. Although some organizations have successfully implemented continuous monitoring systems, to date there has been no widespread move to adopt this enhanced control approach. The main technological barrier has been the practical issue of implementing a system that is non-intrusive on operational processes and that is capable of easy configuration for specific risk tolerance requirements. The good news is that now transactional analysis technologies are much more versatile, and continuous monitoring applications are capable of implementation within virtually any business process cycle. Organizations can customize these applications based on their needs and accepted level of risk tolerance. The technology underpinnings to enable an effective continuous monitoring strategy should include several key components: independence from the system that processes the transaction; the ability to compare data and transactions across multiple platforms; the ability to process large volumes of data; and prompt notification to management of transactions that represent control exceptions.

Independent monitoring of the integrity of transactions yields advantages from both control and operational perspectives. This independent monitoring process also safeguards the performance of the core operational systems. Tests for identifying problem transactions can be conveniently added and enhanced without impacting the core systems – and the need for expensive, and time-consuming modifications are avoided.

Ideally, Enterprise Resource Planning (ERP) systems and other transaction processing systems should be implemented in such a way that controls are embedded in the core application. In theory, continuous monitoring of transactions would not be necessary if the core application itself ensured tight controls. In practice, the pressure of implementing new ERP systems within tight deadlines can mean effective control mechanisms are given insufficient attention. Even if systems are initially implemented with sound controls in place, over time system users often find creative ways to bypass controls. Here the value of an independent transaction monitoring system can be twofold. First, it identifies instances where defined controls were bypassed. Second, it highlights control risks for which no specific control procedure was established.
The inability to compare easily transactional data from one operational system to another constitutes a significant and growing area of business risk as organizations implement increasingly complex layers of technology across multi-platform environments. While ERP systems aim to provide consistent application architecture, in many organizations ERP implementations are not comprehensive. If companies have experienced mergers or acquisitions, there may be multiple ERP systems and data subsystems still working independently of the main platform – making continuous monitoring of transactional data difficult across application systems without an additional technological solution.

To be effective, a continuous monitoring system also needs to be able to process vast amounts of data with great speed and efficiency. Timeliness is clearly critical since the longer control exceptions go undiscovered, the greater the risk exposure and higher the cost to remedy the situation. Current preventative control methods are usually based on a combination of manual and automated procedures. These are time- and labor-intensive activities. Manual procedures involve some degree of individual approval or review. The risk of human error increases with ever-growing volumes of data and such manual procedures can be very slow. Automated procedures generally cannot be designed cost-effectively to prevent or detect all possible risky transactions. Therefore, the ideal solution runs alongside the operational systems and can perform analysis on vast amounts of data pulled from a variety of sources on a regular basis. How regularly this analysis should occur will depend on the nature of the underlying systems. In practice, real-time monitoring is rarely achievable, and transactional testing that occurs on a daily or weekly basis can achieve the desired objective of a timely response to problem transactions.

A key aspect of an effective continuous monitoring system is the ability to “tune” the filters according to each organization’s risk tolerance or regulatory requirements. In many cases, if too broad a filter is applied, it will generate a mass of exceptions making it harder to examine the exception reports effectively. It is usually desirable to weight different types of control exceptions according to the level of risk involved. Certain combinations of control exceptions will generate a critical weighting that result in immediate email notification to management. Lower weighted exceptions will be captured in a report that is subject to regular review and response, as necessary. These filters and weighting factors within the continuous monitoring system can be regularly adjusted to generate exceptions at a particular level of significance.

Either the traditional argument against continuous monitoring tended to center on the process being redundant in a well-designed system, or that it is too expensive to
implement and maintain. However, many organizations are coming to recognize that despite their best intentions, control systems within core transaction processing applications are rarely bulletproof and are strengthened considerably by independent monitoring. As for concerns about the cost, organizations that have implemented continuous monitoring systems frequently find that cost recovery, and indeed cost savings, is achieved in a short period of time, due to timely identification of errors and fraudulent activity.

In this current business climate, it is an opportune time for audit and finance professionals to make the case for the critical role continuous monitoring can play in maintaining high levels of control and, ultimately, good corporate governance.