When you hear the term “continuous control monitoring” (CCM), do you find yourself thinking any of the following?
- My ERP system has built-in automated controls, so I don’t need CCM because I’m already protected.
- It sounds great in theory, but in reality, not practical or affordable to implement.
- Isn’t this what someone else in the organisation does?
- Continuous monitoring is awesome, it’s increased productivity and strengthened assurance in my organization.
If you chose option 4, awesome! You probably already know the great value CCM has added to your organization in providing timely insights for informed decision making and optimizing performance.
If you chose options 1, 2 or 3, you aren’t alone in your thoughts; I hear these comments from senior executives and managers often. The reality is that these are commonly held assumptions that you need to challenge—so let’s break them down a bit more to understand how these myths might be holding you back.
Myth #1: My ERP system has built-in automated controls, so I don’t need CCM because I’m protected already.
There is truth to this statement; ERP systems are intended to help make your organization more efficient and effective with built-in controls that prevent erroneous or invalid transactions from taking place. Your organization has already invested considerable resources in implementing controls and maintaining your ERP systems, so building the case for additional control monitoring can be challenging. The myth here is that your ERP’s embedded system controls eliminate risk and the controls are 100% effective.
ERP controls are not designed to prevent fraud. No control is foolproof, and worse yet, the stricter your ERP controls become, the greater the risk of employees seeking workarounds simply to get their jobs done. Consider the common case requiring purchase orders (POs) and goods receipts to issue payment to an invoice. If goods are delivered where no PO exists, nothing stops a request for a PO being created with a few calls, which now meets your control criteria to issue a goods receipt leading to kicking off the payment process. Your ERP might be happy, but your business processes are open to exploitation. CCM helps to reveal where your business processes are being undermined. Workarounds are just one risk, but also consider these other common risk exposures in your ERP system:
- Missed controls from your initial implementation, control settings that weren’t enabled on implementation, or controls that are out-of-date with new policies. Keeping your ERP controls up-to-date is like playing a frustrating game of whack-a-mole. Although your processes may have been standardized with embedded controls, you risk losing your system’s additional complexities.
- Multiple ERP systems or instances can hide weaknesses and control gaps. The result is data mismatches and errors that make reconciliation a challenge for year-end reporting. This scenario can lead to challenges in enforcing segregation of duties, increasing potential for fraud, waste and abuse.
- Data entry errors not caught by controls. These errors are almost impossible to eliminate, leaving you open to undetected fraud and errors impacting your bottom line. However, these are easily caught by control monitoring.
- Your ERP system implementation is part of a shared service implementation and likely does not take your organization’s unique policies and processes into account.
- Abuse of policies that can’t be detected by point-in time checks in ERP configuration controls. For example, if you have a policy that receipts are not required for purchases under $25, at the time, these transactions appear valid, but overtime monitoring the trends and frequency can indicate patterns of abuse.
Myth #2: It sounds great in theory, but in reality, it’s not practical.
When I hear people say CCM is not practical, with a little more digging, I learn that part of the challenge is understanding how to implement CCM in their complex environment. They see the cost of implementation and change management to be prohibitive because they are thinking about implementing monitoring for every control within their organization at once. To be fair, this approach would be challenging, and you’ll be stuck in the planning and building phase for years before seeing any value.
Successful implementations start lean and take an agile, iterative approach to build out areas that will show value quickly. The focus should be on realizing smaller, achievable results in areas that are high risk and high value. Some great examples of where to start are in financial transactions:
Find areas where you have resources spending considerable time on manual monitoring. This might be purchase card expenses, phone bills, or other simple financial transactions.
Look at a single high-risk area in your financial controls where your auditors have raised concerns. This approach allows you to build a roadmap of prioritized objectives that you can work to implement one by one.
By keeping the scope narrow, you can focus on working out how the entire workflow should work and then seek to replicate as you add in new areas.
Automation also plays a key role in creating sustainable and scalable CCM programs. The tools that are most effective not only help identify control exceptions, but also support your remediation and follow-up workflows, and allow for complete transparency with dashboards.
Myth #3: Isn’t this what our auditors already review?
Last, but certainly not least, is the myth surrounding who’s responsibility it is to ensure controls are working. In government, there is often a heavy reliance on auditors to do this job. To some extent, yes, your auditors are likely looking at how successful your controls are. However, their role is to provide independent assurance that your organization’s controls are working, not to find fraud and be accountable for the creation and management of these controls.
For example, as a financial manager, you own and manage the financial risks for the organization. CCM isn’t about the existence and effective operation of controls, it’s truly about managing risk.
When an auditor tests your controls, they are likely looking at only a small sample of data and testing to assess if your system or process controls do work. They may provide confirmation that a control is working, but it has only been proven for 0.01% of your total revenues. Continuous monitoring will find the exceptions that don’t get found through ad hoc analytics or sample-based testing. Also, consider the ACFE’s most recent report, which shows proactive data monitoring was associated with 54% lower losses and frauds detected in half of the time.
CCM: What are you waiting for?
Do you recall #4 at the beginning of this post, the statement around CCM increasing productivity and strengthening assurance? I’ve covered three of the more common myths here in an effort to try and make readers aware of some of the inaccuracies surrounding CCM. Hopefully, this article has given you some insight into these and will help you along your own journey to implementing CCM and achieving statement #4. With the right approach and technology, your organization can realize the many benefits of CCM.