Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization's financial and operational environment. The financial and operational environment consists of people, processes, and systems working together to support efficient and effective operations. Controls are put in place to address risks within these components. Through continuous monitoring of the operations and controls, weak or poorly designed or implemented controls can be corrected or replaced – thus enhancing the organization’s operational risk profile. Investors, governments, the public and other stakeholders continue to increase their demands for more effective corporate governance and business transparency.
Contents
History
Continuous monitoring can be traced back to its roots in traditional auditing processes. It goes further than a traditional periodic snapshot audit by putting in place continuous monitoring of transactions and controls so that weak or poorly designed or implemented controls can be corrected or replaced sooner rather than later.
Overview
Effective corporate governance requires directors and senior management overseeing the organization with a broader and deeper perspective than in the past. Organizations must demonstrate they are not only profitable but also ethical, in compliance with a myriad of regulations, and are addressing sustainability.
To be effective, those involved in the organizational governance process must take an enterprise wide view of where the organization has been, where it is and where it could and should be going. This enterprise wide view also must include consideration of the global, national and local economies, the strengths and weaknesses of the organization’s culture, and how the organization approaches managing risk.
Risk management
Managing risk involves actions beyond establishing and communicating policies and procedures at a high level. It includes understanding the need for (and exercising) both qualitative and quantitative judgment at the governance and operational level on a routine basis (including having an effective system of internal control). The Sarbanes-Oxley Act of 2002 created new and higher level requirements for organizations to establish effective internal controls and to assure compliance on an ongoing basis.
As organizations have set about to institute compliance programs they have learned they must come up with new methods for maintaining that compliance. Continuous monitoring is part of the solution. It can be a key component of carrying out the quantitative judgment part of an organization’s overall enterprise risk management.
Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organizations financial and operational activities. It actively identifies, quantifies and reports control failures such as duplicate vendor or customer records, duplicate payments, and transactions that fall outside of approved parameters. A by-product of continuous monitoring is it highlights opportunities to improve operational processes.
Potential benefits
Timely identification of problems or weaknesses and quick corrective action can help reduce the cost of any required periodic financial, regulatory, and operational reviews to a reasonable level. A Financial Executives International (FEI) March 2005 survey indicated it could cost an average of $4.36 million for a company to test for and ensure year-one compliance with Sarbanes-Oxley Act Section 404. Continuous monitoring typically includes solutions that address the three operational disciplines known as
Continuous monitoring systems can examine 100% of transactions and data processed in different applications and databases. The continuous monitoring systems can test for inconsistencies, duplication, errors, policy violations, missing approvals, incomplete data, dollar or volume limit errors, or other possible breakdowns in internal controls. Testing can be done for processes like payroll, sales order processing, purchasing and payables processing including travel and entertainment expenses and purchasing cards, and inventory transactions.
Approaches to Continuous monitoring
Nigrini advocates two approaches to continuous transactions monitoring in his book on forensic analytics. The first approach is called the parallel scan where descriptive statistics related to the transactions in the current period are compared to the descriptive statistics for the prior periods. Large differences signal that something has changed. Had Knight Capital used such a metric on August 1, 2012 they would have seen, in a matter of minutes that their trading system was out of control. Nigrini also advocates risk scoring as a continuous monitoring methodology. Here forensic units (e.g., bank account customers, franchisees, travel agents, coupon redemptions, and locations) are scored on various predictors. The scores for the predictors are averaged and each unit ends up with a single risk score. High scores suggest a high risk of the behavior of interest and low scores are associated with a low risk. Audit activity would be directed towards those forensic units with high scores. The risk scoring approach can be programmed.