Applying Continuous Controls Monitoring for achieving compliance and business improvement: Continuous Controls Monitoring has emerged as a solution that organizations can use to automate repetitive, time-consuming tasks to reduce compliance costs. It can simultaneously improve coverage and ensure the timeliness of reporting.With most companies having met their initial deadlines for Sarbanes-Oxley Section 404 compliance, they are deep into the even more challenging task of institutionalizing their compliance programs. For many, this aspect of their implementation process will be daunting daunt
tr.v. daunt·ed, daunt·ing, daunts
To abate the courage of; discourage. See Synonyms at dismay.
[Middle English daunten, from Old French danter, from Latin . As they recognize the implications and requirements for maintaining compliance, Continuous Controls Monitoring (CCM CCM Contemporary Christian Music
CCM Critical Care Medicine
CCM County College of Morris (New Jersey)
CCM Chama Cha Mapinduzi (political party, Tanzania)
CCM CORBA Component Model ) has emerged as a key approach for meeting this critical objective.
What makes CCM intriguing--beyond its being a comprehensive solution for Sarbanes-Oxley compliance and other regulatory requirements--is its potential to deliver significant business process improvements as well.
In charting the steps for achieving long-term compliance with Sarbanes-Oxley, it is important to remember how far companies have come since the law was enacted in 2002. Led by armies of auditors, most enterprises have made significant strides mapping their financial processes, identifying potentially "at risk" procedures and documenting the control points necessary to ensure compliance. Through these efforts, enterprises have been able to avoid the most draconian dra·co·ni·an
Exceedingly harsh; very severe: a draconian legal code; draconian budget cuts.
[After Draco. predictions of compliance failure; most were able to achieve this milestone with minimal disruption to their operations.
However, the process has not been a complete success. The extensive resources needed to manually test and assess compliance control points have resulted in significant cost burdens for most. According to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. a Financial Executives International (FEI FEI
Fédération Équestre Internationale. ) March 2005 survey, the total cost for ensuring year-one compliance with Sarbanes-Oxley Section 404 averaged $4.36 million per company.
Despite the expenditures for auditors and other support services support services Psychology Non-health care-related ancillary services–eg, transportation, financial aid, support groups, homemaker services, respite services, and other services and infrastructure, many CFOs still lack complete confidence in their ability to pass subsequent testing. In reality, few have the resources needed to fully assess the status of their internal controls on a regular basis; instead, they are often more reliant on random "spot-testing" of control points for assurance. The initial attempts to comply with the Act underscore The underscore character (_) is often used to make file, field and variable names more readable when blank spaces are not allowed. For example, NOVEL_1A.DOC, FIRST_NAME and Start_Routine.
(character) underscore - _, ASCII 95. the fact that manual monitoring, analysis and evaluation of internal controls is labor-intensive and costly and often fails to flag issues in time for corrective action A corrective action is a change implemented to address a weakness identified in a management system. Normally corrective actions are instigated in response to a customer complaint, abnormal levels if internal nonconformity, nonconformities identified during an internal audit or .
John Hagerty, an analyst at AMR (1) (Adaptive Multi-Rate) A variable rate speech codec selected by the 3GPP for the 3G evolution of the GSM cellphone system (WCDMA). Using the Algebraic CELP (ACELP) compression technology, AMR provides toll quality sound at transmission rates from 4.75 to 12. Research who focuses on enterprise risk management and compliance, summed up the situation, declaring that "making compliance repeatable, sustainable and cost-effective must become the priority for ongoing investment." Software technology clearly has an important role to play in Sarbanes-Oxley compliance. With the right solutions, enterprises can automate repetitive, time-consuming tasks to reduce compliance costs, while improving coverage and ensuring the timeliness of reporting.
While initial efforts have provided a solid foundation, they've also served to raise the stakes. CFOs acknowledge potential concerns--through their work with various auditors and by documenting the controls and policies instituted for compliance--that their enterprises are now exposed to even greater liability if they fail to enforce these actions.
Unlike traditional reporting metrics that typically show up on a balance sheet or financial statement, Sarbanes-Oxley compliance is unique and challenging, due to its focus on the underlying processes, as opposed to the end results. Sarbanes-Oxley is a direct result of a significant number of companies attempting to report fraudulent financial data. As such, the numbers themselves are no longer the only concern of investors, auditors and regulators. Of equal concern is how the figures are generated, a fact that has spawned a focus on making financial processes much more transparent.
Also important to consider is the fact that business processes, whether for assembling a car or approving a loan, are seldom the province of a single individual, system or even department. Business processes of significance span the enterprise, making it difficult or impossible for anyone to attest To solemnly declare verbally or in writing that a particular document or testimony about an event is a true and accurate representation of the facts; to bear witness to. To formally certify by a signature that the signer has been present at the execution of a particular writing so as with any certainty to the complete sanctity of these processes.
While this suggests that no single existing system can fully address the end-to-end compliance requirement, fortunately these needs dovetail dovetail
n a widened or fanned-out portion of a prepared cavity, usually established deliberately to increase the retention and resistance form. with the overall evolution of the financial infrastructure used to support and enable the real-time enterprise. For example, corporations historically were expected to close their books on a quarterly basis. Today, most can do so on a weekly or monthly basis, with a few claiming to do so daily.
This is essentially the same evolution that companies are expected to follow in maturing their Sarbanes-Oxley compliance efforts. This means that enterprises need to go beyond their existing approach to simply setting up a compliance project, and moving to establishing a sustainable and measurable compliance program.
For example, most IT investments to date have been made to document and disseminate various compliance policies or have focused on remediation of specific material weaknesses. While an important first step, these investments fail to provide management with a real-time means for assessing the overall compliance status, which is essentially what they are being evaluated on. Ignoring for a moment the details of how it is done, the long-term answer to compliance management becomes apparent: a programmatic pro·gram·mat·ic
1. Of, relating to, or having a program.
2. Following an overall plan or schedule: a step-by-step, programmatic approach to problem solving.
3. approach that provides assurance and status monitoring on a 24X7 basis.
CCM vs. Continuous Auditing
The idea of CCM is often confused with "continuous auditing." While these are similar concepts, representing interrelated in·ter·re·late
tr. & intr.v. in·ter·re·lat·ed, in·ter·re·lat·ing, in·ter·re·lates
To place in or come into mutual relationship.
in processes, they also address very distinct requirements. CCM is essentially represented by an operational dashboard and framework that provides users real-time status assurances for all of their compliance control points. Conversely, if CCM is designed to alert users to material events and other occurrences, continuous auditing is fundamentally designed to grade or certify these users on their response.
By moving to a continuous environment, organizations can simplify and speed the certification of their compliance processes and potentially identify relevant issues much sooner. However, auditing by its very nature must remain independent of the operational side of the business. Therefore, continuous auditing cannot be used to alert management, as this would violate the segregation of duties required to ensure auditor impartiality.
CCM is not a complete compliance program, but, rather, a tool for ensuring that critical business processes are being executed and ethically adhered to. At its core, effective corporate governance Corporate Governance
The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. requires that organizations define and communicate a set list of policies, which are the desired and approved approaches or outcomes for addressing or resolving a variety of situations. For these efforts to be successful, enterprises must also identify specific control points that can be used to demonstrate or validate the linkage between specific actions and business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets .
Thus, CCM functions as an overlay network A logical network that runs on top of another network. For example, peer-to-peer networks are overlay networks on the Internet. They use their own addressing system for determining how files are distributed and accessed, which provides a layer on top of the Internet's IP addressing. , spanning all of the enterprise systems, data repositories See repository. , users and human workflows that comprise the specific business processes deemed relevant under Sarbanes-Oxley. Embedded Inserted into. See embedded system. throughout this network are various control points that are used to assess compliance status. Traditionally, these control points have been manually assessed on an ad-hoc or random basis via an audit-like review of past performance.
[FIGURE 1 OMITTED]
The limitations of this approach are its inability to check all control points, its lack of timeliness, its lack of depth and breadth in information and its high cost. CCM allows users to automate this process to ensure 24X7 coverage of every control point, using real-time monitoring of measurable performance metrics Performance metrics are measures of an organizations activities and performance. Performance metrics should support a range of stakeholder needs from customers, shareholders to employees . (see figure 1).
With many organizations already maintaining multiple systems dedicated to compliance, CCM's role is to leverage those efforts to deliver a number of distinct features. First, it is a comprehensive approach targeting all existing control points. By comparison, many early-stage compliance solutions were designed to remediate re·me·di·a·tion
The act or process of correcting a fault or deficiency: remediation of a learning disability.
re·me specific concerns, leaving companies dependent upon a variety of disparate systems. While potential overlap, duplication and added costs from using this best-of-breed approach are one concern, the primary issue is the lack of consistent means within these systems for assessing and reporting on compliance status.
In addition, CCM focuses on creating a single point of ownership for compliance and operational risk management. Fundamentally, this role requires access to a consolidated dashboard, which is essentially what CCM offers, to both assess the enterprise's overall risk exposure and to execute day-to-day responsibilities.
Finally, unlike traditional approaches that passively demonstrate compliance by simply documenting past occurrences, CCM is designed to proactively identify real and potential violations through real-time monitoring.
In today's environment, most companies can also expect to under-go more frequent and extensive internal and external audits. As the strength of the monitoring framework is one of the key areas assessed, having a systematic, tested process in place can significantly reduce exposure and costs from these inquiries. While the foremost focus of CCM is on identifying violations, it also plays an important role in exception management, as it can be used to document how specific issues were resolved--typically, another audit concern.
While many CFOs are aware of the specific implications of compliance failure (including fines, loss of market or brand value and jail time), few have fully considered the additional positive impact that CCM can deliver. Specifically, one of the outcomes of Sarbanes-Oxley is that most CFOs today have a far better understanding of how their business processes actually operate than ever before. Using the insight secured through continuous monitoring, necessary changes can be implemented to streamline these processes for greater effectiveness and efficiency.
With CCM being an agnostic ag·nos·tic
a. One who believes that it is impossible to know whether there is a God.
b. One who is skeptical about the existence of God but does not profess true atheism.
2. methodology for process monitoring, companies can examine both control points and other key performance indicators Key Performance Indicators (KPI) are financial and non-financial metrics used to quantify objectives to reflect strategic performance of an organization. KPIs are used in Business Intelligence to assess the present state of the business and to prescribe a course of action. (KPIs) on a regular basis. This approach will enable enterprises to increase their capability and confidence in compliance efforts, while reducing risk, limiting financial errors and improving overall business and finance operations The execution of the joint finance mission to provide financial advice and guidance, support of the procurement process, providing pay support, and providing disbursing support.See also financial management. .
Arnold Huffman is Vice President of Strategic Business Solutions and James Crump crump
v. crumped, crump·ing, crumps
1. To crush or crunch with the teeth.
2. To strike heavily with a crunching sound.
v.intr. is Senior Director of Strategic Business Solutions, both for Fairfax, Va.-based webMethods, a business integration and optimization software Free and Open Source software
RELATED ARTICLE: takeaways
* Continuous Controls Monitoring (CCM) is an approach for Sarbanes-Oxley and other regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. ; it can also drive significant business improvement.
* CCM and Continuous Auditing (CA)--often confused--represent interrelated processes, but they also address very distinct requirements.
* For example, CCM is designed to alert users to material events and other occurrences; CA is fundamentally designed to grade or certify these users on their response.
* CCM is not a complete compliance program, but rather a tool for ensuring that critical business processes are being executed and ethically adhered to.