Controls can be a difficult imposition on many companies. They can require extra data entry or the production of reports, which managers then review for anomalies. Also, larger firms use internal auditors to conduct laborious reviews of systems on a rotating basis. Both approaches are expensive, and tend to make processes less efficient. What if there were a way to automate the monitoring of controls? There is.
Several companies have created continuous controls monitoring (CCM) solutions. These systems draw data from a number of databases and then review 100% of all transactions, looking for data anomalies, errors, segregation of duty issues, and possible control breaches. The systems contain tables of standard control objectives, including the areas of authorization, accuracy, completeness, validity, and segregation of duties, and contain tests to ensure that each objective is met at each step of the various transaction process flows. These tests are available for all major transactional areas, including payroll, the order-to-cash cycle, the purchase-to-payment cycle, inventory management, travel expenses, and procurement cards.
For example, a CCM will have separate tests for the proper authorization, data entry accuracy, transaction completeness, and validity of all cash receipts. As another example, a CCM will verify that sales orders are completely filled out before being submitted for fulfillment, invoices are issued within a specified time period from order shipment, and write-offs are properly authorized.
The CCM then notifies designated employees of any problems found with browser-based reports, resulting in a highly targeted manual investigation to locate each root problem. A CCM system also makes it easier to comply with the provisions of Section 404 of the Sarbanes-Oxley Act.
Companies providing continuous controls monitoring include Vancouver-based ACL Services (www.acl.com) and Fairfax-based WebMethods (www.webmethods.com).