In complex system landscapes (especially those that have leading ERP solutions that are capable of handling huge data) defining an approach for Continuous Control Monitoring can be overwhelming. The nuances of the very many configuration, master data and transaction controls in the system, when coupled with authorization mechanisms can influence the effectiveness of the controls.
Every auditor (or audit firm) faces the daunting task of defining appropriate audit procedure for various types of audits.
Testing types in a traditional audit generally varies from one or many of the following:
- Appropriate inquiry about controls in existence,
- Activities and operations tested through observation of a process / sub process, such as reviewing transactions and supporting documents,
- Ensuring manual controls are performed by examining and recording evidence,
- When all the above is not providing sufficient assurance, manually re-performing a control test and compare against the system generated result, and,
- Using a Computer Aided Automation Tool (CAAT) (e.g. ACL, IDEA, etc.) that helps in looking at a larger sample size out of the data available.
Internal Audit, as the 3rd line of Defence, has to necessarily rely on substantive evidences provided by Continuous Control Monitoring (CCM) that can be corroborated by other audit test procedures.
With an appropriate high performing analytical platform,
- 100 % coverage of transactions chosen for control testing can be achieved and not just limited to a sample,
- The statistics (mean, variance, standard deviation, etc.) could be computed over a very large population—could be millions of transactions if you do it over the course of a quarter / year.
- Technological capabilities of a strong platform can bring in control testing and analysis that applies Artificial Intelligence – through machine learning and pattern analysis across huge data.
Leading companies have started using Continuous Control Monitoring because they reap significant benefits:
- Proactive detection and corrective measures on time before control deficiencies lead to financial misstatements and losses.
- Automation techniques available for monitoring and testing helps cover more controls than manual tests done earlier, thereby enabling better coverage and assurances to the top management for certification.
- Automated control testing makes CCM easier to schedule and evaluate tests and deal with issues.
- Lesser costs, time and effort as compared to manual testing.
- Helps bring in transparency for internal, external audits and regulatory requirements.
Leveraging Automation in Continuous Control Monitoring –
- Automated testing used for CCM brings in 360 degrees coverage for key risks. It is not just about “controls monitoring” it is about “risk identification” too!!
- Access and authorization risks (foundational internal control) to monitor segregation of duties and critical or sensitive access to data.
- Configuration risks that could arise due to inadvertent or wilful change of system configurations that could have serious repercussions on the efficiency and effectiveness of the controls.
- Master or static data changes that drives erroneous or suspicious transactions that results in waste, abuse or fraud to the organization.
- Transactions recorded in the enterprise systems have to be screened for exceptions and deviations to avoid risks.
KEY TAKEAWAYS FOR ADOPTING CONTINUOUS CONTROL MONITORING
- CCM is not just a “nice to have” concept – with almost all regulations like the Indian Companies Act, Stock Exchange Listing Agreements, and several other international requirements on certification of internal controls “efficiency and effectiveness” – it has become a “must-have” need.
- Automation of CCM with the right technology partner reduces your
- Time to test
- Cost of testing
- Efforts in setting up schedules
- Find exceptions faster and route them to users for resolution
- Take preventative steps in critical areas of business to strengthen internal controls in a timely manner
- Bring in transparency that can be shared with internal / external auditors to save audit time and effort and reliable reporting to the Board and Audit Committee.