Defining Continuous Controls Monitoring: A Holistic Approach

Online, March 19, 2010 (Newswire.com) - Norman Marks, a well-respected evangelist of governance, risk and compliance (GRC) often provides useful insights on topics of interest to auditors. I concur with his assertation that a universally accepted definition of Continuous Controls Monitoring (CCM) does not exist. Yet, it is a concept that is both innately understood and acknowledged by the audit community.

From my observation of discussions on LinkedIn, the web, and other sources in the area of applications systems, CCM typically focuses on the transactions of a system. Several software vendors (i.e., ACL, Approva, Oversight and others) supply products to monitor these transactions, usually financial ones (i.e., payables, payroll, T&E and others).

Master Data and Application Configuration Settings are Vital

I agree with the school of thought that master data and application configuration settings should be included within continuous monitoring. It seems to me that this important and fundamental component of CCM is overlooked by many auditors and cannot be addressed by those systems that monitor transactions alone. Financial transactions are generated by the program code of a financial application. However, this code is driven by application settings or parameters (e.g., the Social Security withholding rate: 7.65 percent). Furthermore, this code depends on master data (e.g., an employee's salary: assume $1,000/week). Without the proper setting of 7.65 percent and the proper (approved) salary value ($1,000), the application would not accurately compute the amount to be withheld ($76.50).

The Challenge of Improper Change

Both application settings and master data do change, but this change should occur per appropriate processes and approvals. Yet, both are vulnerable to improper change-be it caused by careless human data entry error, or by malicious or fraudulent intent. Critical to the effective operation of a business process is the need for the process or data owner to validate that changes to their setting or master data are correct. In many cases, however, this does not occur, or the accuracy of settings and master data are reviewed and audited, by default, by internal or external auditors. Such audit review can be manual, laborious and time-consuming to both the process and data owners, who now must furnish reports requested by the auditor, and to the auditor, who now must develop samples and then test them for compliance and accuracy.

Regardless, this approach is prone to error. Sampling risk-the possibility that exceptions may exist in the untested segment of the population of control changes-is not eliminated. Even with 95 percent statistical confidence, uncertainty remains that among the untested changes, there can exist incorrect application settings or wrong master data values that continue to drive processing or computations of the application system towards unacceptable output.

The Holistic Approach to CCM

A holistic approach is for companies to indeed monitor their transactions, as well as monitor the integrity of the settings and the master data that drives them. This means that just as companies invest in systems that monitor transactions, they must also invest in monitoring the settings and the master data at the source level. Imagine the errors that would exist in financial disclosures caused by lingering undetected errors. Imagine the consequences of such errors-restatements, control weaknesses or damaged reputation.

As auditors, we are always looking for better ways to address controls and compliance:

• A better way would be software that can continuously monitor all key application settings and master data values, and detect every change that occurs to 100 percent of the population.

• A better way would be for software to unimpeachably prove that no changes occurred over a time interval, ensuring data integrity was maintained.

• A better way would be for software to report changes to the appropriate process and data owners for their review and assessment of whether the changes were acceptable or not.

• A better way would be for the process and data owners to quickly correct or fix any unsuitable change and then remediate why it occurred.

• A better way would be for auditors to oversee or test whether the data owners are properly maintaining data integrity through regular evaluation of their change detection reports.

A Word on Auditors and Accountability

An important issue surrounding continuous controls monitoring is the center of responsibility. For auditors to remain independent and objective, they need to avoid responsibility for controls. Therefore, it is the business process or data owner that needs to be accountable by monitoring that the controls (i.e., the settings and master data that control or drive the processing or computations of the application) are set and configured as intended. The owner must be accountable for detecting erroneous settings or values and then swiftly correcting them to their proper position. The owner must be accountable for investigating why improper changes occurred and executing appropriate remedial actions.

Where auditors perform these functions, it seems to me that the bona fide owners are simply taking a laissez-faire position and are abrogating their responsibilities to the auditors.