Applying Continuous Controls Monitoring for achieving compliance and business improvement: Continuous Controls Monitoring has emerged as a solution that organizations can use to automate repetitive, time-consuming tasks to reduce compliance costs. It can simultaneously improve coverage and ensure the timeliness of reporting.
What makes CCM intriguing--beyond its being a comprehensive solution for Sarbanes-Oxley compliance and other regulatory requirements--is its potential to deliver significant business process improvements as well.
In charting the steps for achieving long-term compliance with Sarbanes-Oxley, it is important to remember how far companies have come since the law was enacted in 2002. Led by armies of auditors, most enterprises have made significant strides mapping their financial processes, identifying potentially "at risk" procedures and documenting the control points necessary to ensure compliance. Through these efforts, enterprises have been able to avoid the most draconian predictions of compliance failure; most were able to achieve this milestone with minimal disruption to their operations.
However, the process has not been a complete success. The extensive resources needed to manually test and assess compliance control points have resulted in significant cost burdens for most. According to a Financial Executives International (FEI) March 2005 survey, the total cost for ensuring year-one compliance with Sarbanes-Oxley Section 404 averaged $4.36 million per company.
Despite the expenditures for auditors and other support services and infrastructure, many CFOs still lack complete confidence in their ability to pass subsequent testing. In reality, few have the resources needed to fully assess the status of their internal controls on a regular basis; instead, they are often more reliant on random "spot-testing" of control points for assurance. The initial attempts to comply with the Act underscore the fact that manual monitoring, analysis and evaluation of internal controls is labor-intensive and costly and often fails to flag issues in time for corrective action.
John Hagerty, an analyst at AMR Research who focuses on enterprise risk management and compliance, summed up the situation, declaring that "making compliance repeatable, sustainable and cost-effective must become the priority for ongoing investment." Software technology clearly has an important role to play in Sarbanes-Oxley compliance. With the right solutions, enterprises can automate repetitive, time-consuming tasks to reduce compliance costs, while improving coverage and ensuring the timeliness of reporting.
While initial efforts have provided a solid foundation, they've also served to raise the stakes. CFOs acknowledge potential concerns--through their work with various auditors and by documenting the controls and policies instituted for compliance--that their enterprises are now exposed to even greater liability if they fail to enforce these actions.
Unlike traditional reporting metrics that typically show up on a balance sheet or financial statement, Sarbanes-Oxley compliance is unique and challenging, due to its focus on the underlying processes, as opposed to the end results. Sarbanes-Oxley is a direct result of a significant number of companies attempting to report fraudulent financial data. As such, the numbers themselves are no longer the only concern of investors, auditors and regulators. Of equal concern is how the figures are generated, a fact that has spawned a focus on making financial processes much more transparent.
Also important to consider is the fact that business processes, whether for assembling a car or approving a loan, are seldom the province of a single individual, system or even department. Business processes of significance span the enterprise, making it difficult or impossible for anyone to attest with any certainty to the complete sanctity of these processes.
While this suggests that no single existing system can fully address the end-to-end compliance requirement, fortunately these needs dovetail with the overall evolution of the financial infrastructure used to support and enable the real-time enterprise. For example, corporations historically were expected to close their books on a quarterly basis. Today, most can do so on a weekly or monthly basis, with a few claiming to do so daily.
This is essentially the same evolution that companies are expected to follow in maturing their Sarbanes-Oxley compliance efforts. This means that enterprises need to go beyond their existing approach to simply setting up a compliance project, and moving to establishing a sustainable and measurable compliance program.
For example, most IT investments to date have been made to document and disseminate various compliance policies or have focused on remediation of specific material weaknesses. While an important first step, these investments fail to provide management with a real-time means for assessing the overall compliance status, which is essentially what they are being evaluated on. Ignoring for a moment the details of how it is done, the long-term answer to compliance management becomes apparent: a programmatic approach that provides assurance and status monitoring on a 24X7 basis.
CCM vs. Continuous Auditing
The idea of CCM is often confused with "continuous auditing." While these are similar concepts, representing interrelated processes, they also address very distinct requirements. CCM is essentially represented by an operational dashboard and framework that provides users real-time status assurances for all of their compliance control points. Conversely, if CCM is designed to alert users to material events and other occurrences, continuous auditing is fundamentally designed to grade or certify these users on their response.
By moving to a continuous environment, organizations can simplify and speed the certification of their compliance processes and potentially identify relevant issues much sooner. However, auditing by its very nature must remain independent of the operational side of the business. Therefore, continuous auditing cannot be used to alert management, as this would violate the segregation of duties required to ensure auditor impartiality.
CCM is not a complete compliance program, but, rather, a tool for ensuring that critical business processes are being executed and ethically adhered to. At its core, effective corporate governance requires that organizations define and communicate a set list of policies, which are the desired and approved approaches or outcomes for addressing or resolving a variety of situations. For these efforts to be successful, enterprises must also identify specific control points that can be used to demonstrate or validate the linkage between specific actions and business operations.
Thus, CCM functions as an overlay network, spanning all of the enterprise systems, data repositories, users and human workflows that comprise the specific business processes deemed relevant under Sarbanes-Oxley. Embedded throughout this network are various control points that are used to assess compliance status. Traditionally, these control points have been manually assessed on an ad-hoc or random basis via an audit-like review of past performance.
[FIGURE 1 OMITTED]
The limitations of this approach are its inability to check all control points, its lack of timeliness, its lack of depth and breadth in information and its high cost. CCM allows users to automate this process to ensure 24X7 coverage of every control point, using real-time monitoring of measurable performance metrics (see figure 1).
With many organizations already maintaining multiple systems dedicated to compliance, CCM's role is to leverage those efforts to deliver a number of distinct features. First, it is a comprehensive approach targeting all existing control points. By comparison, many early-stage compliance solutions were designed to remediate specific concerns, leaving companies dependent upon a variety of disparate systems. While potential overlap, duplication and added costs from using this best-of-breed approach are one concern, the primary issue is the lack of consistent means within these systems for assessing and reporting on compliance status.
In addition, CCM focuses on creating a single point of ownership for compliance and operational risk management. Fundamentally, this role requires access to a consolidated dashboard, which is essentially what CCM offers, to both assess the enterprise's overall risk exposure and to execute day-to-day responsibilities.
Finally, unlike traditional approaches that passively demonstrate compliance by simply documenting past occurrences, CCM is designed to proactively identify real and potential violations through real-time monitoring.
In today's environment, most companies can also expect to under-go more frequent and extensive internal and external audits. As the strength of the monitoring framework is one of the key areas assessed, having a systematic, tested process in place can significantly reduce exposure and costs from these inquiries. While the foremost focus of CCM is on identifying violations, it also plays an important role in exception management, as it can be used to document how specific issues were resolved--typically, another audit concern.
While many CFOs are aware of the specific implications of compliance failure (including fines, loss of market or brand value and jail time), few have fully considered the additional positive impact that CCM can deliver. Specifically, one of the outcomes of Sarbanes-Oxley is that most CFOs today have a far better understanding of how their business processes actually operate than ever before. Using the insight secured through continuous monitoring, necessary changes can be implemented to streamline these processes for greater effectiveness and efficiency.
With CCM being an agnostic methodology for process monitoring, companies can examine both control points and other key performance indicators (KPIs) on a regular basis. This approach will enable enterprises to increase their capability and confidence in compliance efforts, while reducing risk, limiting financial errors and improving overall business and finance operations.
Arnold Huffman is Vice President of Strategic Business Solutions and James Crump is Senior Director of Strategic Business Solutions, both for Fairfax, Va.-based webMethods, a business integration and optimization software company. They can be reached at firstname.lastname@example.org and email@example.com, respectively.
RELATED ARTICLE: takeaways
* Continuous Controls Monitoring (CCM) is an approach for Sarbanes-Oxley and other regulatory requirements; it can also drive significant business improvement.
* CCM and Continuous Auditing (CA)--often confused--represent interrelated processes, but they also address very distinct requirements.
* For example, CCM is designed to alert users to material events and other occurrences; CA is fundamentally designed to grade or certify these users on their response.
* CCM is not a complete compliance program, but rather a tool for ensuring that critical business processes are being executed and ethically adhered to.
|Printer friendly Cite/link Email Feedback|
|Date:||Oct 1, 2005|
|Previous Article:||The cost of disconnected boards in the media age: a public relations executive argues that a missing ingredient for many boards today is a seasoned...|
|Next Article:||Do's and don't's for good cash management: a consultant offers a list of thoughtful and useful ideas for reducing working capital and improving...|