The themes of my recent EDPACS article and recent speeches on continuous monitoring  (both at www.canco.us) are that, while CM was born, to some degree, in the compliance/assurance areas as CA, and continuous controls monitoring,  CM continues to expand in all aspects of society: government, medicine, and business and the prime objective is to build it into operations to improve information integrity, controls, efficiency, overall reliability of systems, protection of brand value and to meet customer expectations.

 I was interviewed for the attached article exploring why the promise of CA has not gone mainstream with corporate America? The article states the idea of CA & CM is seductive: If you monitor and test mistakes can be found early, fraud can be discovered early etc. However, according to a PWC survey only 20% of companies consider themselves to have a mature grasp of data analytics technology and 10% consider themselves in the lowest tiers of data analytics and CA use. Therefore 70% are in the middle – i.e.: focused on and working on expanding the use of monitoring.

 My summary take away is twofold:

1-      There is a need for more information, coordinated leadership and assistance for companies to move forward with continuous monitoring.

2-      The potential for expanded monitoring based on rational investments and ROI potential over the long term are significantly positive.

 Barriers sited:

• Cost and other priorities – the need with monitoring to invest time, money and resources, in this economy companies have put this on hold. One quote was that it is not expensive.
• Getting access to transactional data, in some cases scattered throughout the company.
• CA & CM identity crisis – confusion over monitoring performed independently by auditors CA and built in by business process owners CM – just needs clarification
• Public accounting firms are “skeptical” about monitoring – therefore it needs to be driven by companies themselves. Accounting firms are focused on year end financial statement audits not business processes improvements.

 The article reports that companies that are serious about monitoring tend to be focused, not on (or not only on) compliance but on overall improvements to business process that result for continuous monitoring and auditing key aspects of the business. – “the compliance benefit is the icing on the cake.” This is my point exactly!!

Continuous Monitoring (CM) is an evolving use of technology to improve operations integrity and information and transaction quality. This article pleads for internal auditors to promote the expanded use of continuous monitoring by operations, as well as, internal audit.

Continuous Monitoring (CM) is a business operational issue swir- ling around in auditing and accounting practices! Monitoring what, you may ask? I believe there is an ever expanding, Orwellian,1 interest in monitoring in general. Think cameras looking for terror- ists; however, in financial areas we tend to focus on continuous controls monitoring (CCM) and or continuous controls monitoring of transaction (CCM-T).

Most financially focused articles or guidance on Continuous Monitoring are written for auditors and or accountants and have an internal control focus. COSO, an organization of accounting and auditing organizations,2 recently released comprehensive gui- dance on monitoring, called ‘‘Guidance on Monitoring Internal Control Systems.’’ While important, I think we are overly focused on internal controls and should be more focused on business opera- tional issues!

CM is on the move—but unfortunately CM is only very gradually gaining ground. One reason CM is moving slowly is that CM is predominantly a business operations issue. It can also add to the internal control system and therefore most times affects audit coverage, through audit scope reductions. However, this is the tail—not the dog! First you have to have a business function and then you need internal control (IC).

For example, many companies now use CM to ensure the accu- racy of their procure to pay system. This can be structured to reduce duplicate payments, so it is an added control and hence part of the expanded IC system. Others add integrity checks in systems to better ensure accuracy of data. Credit card processors monitor data transactions, to catch duplicate transactions before they get too far into the systems. Even the new automated toll systems on our highways have CM to edit out duplicate transaction at the point of capture. These are all CM controls built into the IT systems by operations.

Since EDPACS is an Auditor-focused publication, my recommen- dation is that audit, specifically Internal Audit (IA), should be keenly focused on making operations management aware of these new automated continuous monitoring systems to improve efficien- cies and effectiveness of the operations they will audit.

WHAT ABOUT CONTINUOUS AUDITING (CA)?

Audit is an independent verification function. Auditors can and do use automated, independently implemented computerized applica- tions as part of their audit coverages. On occasion these audit rou- tines are built into operations, but controlled by audit. In all cases audit should and will adjust their audit scope to value CM systems built into operations. However, the most important role auditors can serve, with regard to CM, is to recommend its expanded use, thereby leveraging systems efficiency and effectiveness, as well as the overall control environment.

Decades ago, when I transitioned from public accounting and auditing to the Chief Audit Executive (CAE) role, at Phelps Dodge Corporation, I took a very broad view of our internal audit mission. We decided to cross some lines and set our mission to improve the company’s controls and business efficiency—rather than just auditing controls. We set a broad scope, first to focus on financial audits but more importantly to go well beyond financial into opera- tional audits, contract audits, and acquisition audits. We wanted to go further than audits to recommend efficiency, as well as systemic integrated control features. We wanted to help improve the business operations.

IA, and to some degree external audit, is perfectly positioned to identify opportunities for efficiency and control improvement opportunities. In many cases these opportunities involved the use of automation. This approach resulted in our management seeing tremendous value in IA. In addition, our Board, not just the audit committee, began recommending our approach at other companies. As a result, I wrote a book called Managing the Audit Function, now in a third edition and Chinese translation.(3)

SOME HISTORY

The Foreign Corrupt Practices Act (FCPA) required functioning systems of IC. Therefore, in the 1980s at Phelps, we started issuing opinions on IC, using negative assurance. This was revolutionary in its day. We gave management an opinion they could point to as part of fulfilling their responsibility. However, while not a requirement of the FCPA, we also had a focus on operations systems improve- ments, well beyond controls. IC is a subset (i.e., a part of the business function).

In the compliance area, SOX has provided a much needed and significant focus on internal controls. However, SOX took us in the wrong direction too, in a least two ways. SOX is focused on IC over financial reporting. FR is just one of many company systems, an important one, but far from the only important system.(4)

Second, in the rush to compliance most companies have ignored the opportunity to change the paradigm by using CM, and further by using computers to develop efficient integrated, automated con- tinuous controls and transactions testing. This is not rocket science; CM is part of the ever expanding use of edit checks we have been employing since the first generation of computers.

With the publication of COSO’s ‘‘Guidance on Monitoring,’’(5) we have a reason to look again at CM and the backward-looking audit model. Why do we continue to audit so heavily at a point in time or at the end of a period? Just because that is the way we always did it? We should be looking to broaden the scope of application of CM, by making business operations managers more aware of CM.

THE NEW MILLENNIUM

With all the progress we have made with business systems technol- ogy, and the Internet, in the area of real-time business, the existing time delays in controls checking, information integrity verification, and the backwardly looking audit process look archaic. What we need is full-time, real-time automated controls built into operations systems.

Let’s look more closely at the positive characteristics of CM. A CM program is a non-emotional, never tiring automated ‘‘monitor- ing agent’’ inspecting, in real time, verifying adherence with com- pany policies, authorizations, proper sequence, correct timeframe, in the right location/region, and so on. When exceptions are identi- fied by computer monitoring, you can add to efficiencies with auto- mated ‘‘dashboards’’ and follow-up systems—to limit manual intervention and assessment.

Few could argue it is the dawn of a new day in America. President Barack Obama uses a BlackBerry and has hired a Cabinet-level CIO.(6) We are in economic turmoil but we have begun to look for ways to boost innovation and address complex issues. For example, one big issue he is addressing is medical costs. Plans call for using technology as a way to improve medical practices and reduce cost over time, by among other things automating medical records and processes.

Automation, while extensive in general, has only begun to bene- fit financial and operations systems efficiency, effectiveness, and control. One outcome of expanding complexities and recent corpo- rate malfeasance is that compliance and assurance costs have recently risen dramatically. The reason, we have expanded con- trols testing; however, automation in the control environment is, as noted, growing slowly.

According to the Corporate Library audit costs increased 64% from 2001 to 2006.(7) How do we reverse the trend? Companies need to look at the significant opportunities to reduce the cost of audits and compliance, and save money by using continuous monitoring (CCM and CCM-T) and continuous auditing.

According to a January 2009 Gartner report, despite the benefits of CM, too little attention has been placed by chief financial officers, internal auditors, and corporate risk management and compliance leaders on the automation of financial controls monitoring.(8)

I have been following the developments in the field of CA and CM for years. While progress has been slow, the need for change is now critical. I have written about progress in my role as editor-in-chief of the IS CONTROL Journal from 1987 to 2007, and pushed for implementation in my many positions at IIA, ISACA, and as a founding Advisory Board member of the Center for Continuous Auditing (CA) and Monitoring (CM), at the Rutgers University Business School. I was a COSO Board member and FEI Task Force contributor during the study and publication of COSO Monitoring.(9)

WHAT MAKES THE IMPLEMENTATION OF CM SO SLOW?

One problem I see time and time again is Who initiates the process— Audit, finance or operations? Hence this article! It may take a coordinated effort. Finance and IA understand controls but maybe not understand all the operating issues. Operations management may not be aware of the emerging field of CM software. Therefore the opportunity for IAs, with a broader focus on improving the business, to recommend specific CM applications, is like low-hanging fruit, to impact the business in a positive way.

Another issue is the time and cost of developing CM software systems. However, in the past decade many new software solutions have been released. Auditors are well aware of ACL and IDEA; however, software is now also available from software companies, such as Oversight Systems, Approva, Infogix, and SymSure. In addition, ERM systems, such as SAP, have been adding CM applica- tions. Further, Microsoft is currently beta testing a GRC System that will include CM. These and other systems can be used to make the controls processes more efficient and effective. IA should be investigating these new tools and recommending them in their reports.

Where do you look to use CM? Consider any system that produces critical information that is used to make decisions or send data to other systems or third parties. Bad data or information could result in bad decisions or incorrect information leaving the company sys- tems. Look for where a lot of effort is used to manually review for accuracy or where there are a lot of audit hours, internal or exter- nal, expended.

ONE ISSUE MAY BE AUDIT INDEPENDENCE

One debate I have been hearing for years, in the audit profession, is the issue of auditor independence. As a public accountant and CPA I was well aware of the need for independence. When I became a CAE, I studied the IIA Standards and the audit indepen- dence issue. However, the popular theory that, as IA, we could not design controls improvement, sent me into many healthy debates with my contemporary CAEs, directors, and managers. I was told if we ‘‘designed controls’’ we could not independently audit them. With this I disagreed in general. For example, at Phelps we published a booklet on basic controls procedures for desktop computers. To address the appearance of actually ‘‘designing controls,’’ we collaborated with our IT department and jointly publish the booklet. We audited against this recom- mended control framework, but the key deliverable was giving the users in operations a road map to improve controls themselves!

IA is in a great position to identify many potential applications for CM in operations. That is, if IA is directed at looking way beyond audit objectives—to business objectives.

As my career progressed I traveled through the CAE and CFO positions on my way to the COO and CEO positions. My experience tells me the focus of CM should be on operations and financial systems—efficiency, accuracy, and control. Auditors should advise management that controls lead to efficiency and therefore better cash flow (cash inflows faster i.e.: turn and more cash flows in i. e.: volume). In some cases IA could convert CA systems to on-going CM. When suggesting the use of CM, audit should make sure the objectives of CM are explained and the return on investment (ROI) estimated.

SUPPLY CHAIN CASE STUDY

As the CFO of Etienne Aigner Group (EA), a consumer products company, I lived every day looking at cash generated in our stores and daily shipping to our wholesales customers. When we ship we bill, and begin the clock ticking to cash collections. I find many audit professionals are not aware enough of this basic business focus. Audit and CA are about independent reviews—but there has to be a business to review, and that business must be efficient, hence more CM.

As CFO I was asked to take over supply chain management, including product flow, storage, and distribution. There was a lot to do; we did not have good controls or efficiency. We did not have a locator system in our distribution center. This caused our picking process to be very slow—they had to hunt for product or work from memory. As a consequence, as CFO, I, along with our external accountants and Board, demanded a good annual physical inventory. However, a physical inventory costs money to imple- ment, shuts down shipping to customers, and slows cash flow.

We decided to use continuous monitoring to improve shipping throughput (speed) and accuracy. Our goals included the elimination of the annual physical inventory—but this was a minor benefit. The real benefit was efficiency of the distribution operation—speed in picking and shipping product with less staff, every day of the year.

We built an inventory locator system and improved automated efficiencies by adding locations to the pick tickets. We then added a control function (Inventory Control Dept. [ICD]) that reviewed inventory received, and released it into the inventory. Thereby, catching errors, at the beginning of the process. We had this ICD group report to the controllers function. This was not an added cost; we transferred three distribution workers whose jobs were offset by efficiencies in the large (about 100 people) inventory picking and shipping operations. We implemented activity-based costing to study all costs—so we could drive the costs down.

The ICD did statistical test counts every day and was called in any time a pick ticket indicated a problem. The flip side of product picking was a partial accuracy control test on every pick operation, for which there was no problem. The point here is CM is about operations improvement by having controls along the way. Audit is an independent verification that the IC system is working. By reviewing the ICD work and performing independent test counts we eliminated the full inventory count. The productivity gains were enormous; we picked and shipped faster with less staff.

FINANCIAL SYSTEM CM

Let’s look at real CM scenario, explained to me by Patrick Taylor, CEO of Oversight Systems and a thought leader on CM. The CFO of one of Oversight’s clients, a $6 Billion technology company with global operations, was concerned about how he could ensure better controls over manual journal entries. He noticed an enormous area of risk and large expenditures for manual testing.

When financial departments close the books, they book adjust- ments to various estimates, based on analysis, to account for non- systemic, often judgmental, reserves for such things as legal settle- ments. Furthermore, many times compensation is based on P&L results making these manual journal entries even more sensitive. Since the company had numerous separate profit and loss centers they did extensive testing, and their external auditors did exten- sive testing of these manual entries. But this took a lot of time and money.

The CFO considered this an area where using CM could expand controls testing, speed up the process and lower the cost of the manual testing, both internal and external. They called in Patrick and his team, who designed automated tests, some of which mir- rored the current manual tests; others went beyond. They also introduced systems to monitor and track identified items for follow-up. This CM system expanded controls testing and reduced the independent audit testing time. Again, the point of this article is that IA, too, is in an ideal position to recommend CM to use automation to improve the company’s control environment.

CM DEVELOPMENTS IN EUROPE

I recently read some good news on CM from the Financial Executives Research Foundation. In a recent Issue Alert—‘‘SOX Optimization: European Corporations Find Ways to Enhance Risk & Compliance Programs,’’ which was based on a survey by BMR Advisors, they present two major trends: – continue reading here

[media id=1]

Michael P Cangemi, SOXTv clip

Interview 1 – What are the Benefits of Implementing CobiT? – Runtime 2:26
Interview 2 – What are Some of the Best Practices in Managing the Audit Function? – Runtime 2:29 – A great preview of Mr. Cangemi’s book Managing the Audit Function!
Interview 3 – How Do You Assess the Performance of the Audit Department? – Runtime – 1:49 A great preview of Mr. Cangemi’s book Managing the Audit Function!

CanCo is proud to announce that Michael P Cangemi has contributed the Forward for the new book IT Auditing: Using Controls to Protect Information Assets, by Chris Davis, Mike Schiller and Kevin Wheeler. (ISBN 0-07-226343-1) published by McGraw-Hill, in January 2007. Available at amazon.com or mcgrawhill.com.

IT Auditing provides real-life practical guidance from experts how have performed IT audit work in real corporations.  Written for seasoned IT auditors who want to expand their skills and new IT auditors who need guidance and exposure to new skill sets, this book covers the latest auditing tools alongside real-world examples, ready-to-use checklists, and valuable templates.
Readers will learn how to analyze Windows, UNIX, and Linux systems; secure databases; examine wireless networks and devices; and audit applications.  Up-to-date information on legal standards and practices, privacy and ethical issues, and the CobiT standard are included.
Click here to purchase this book.
About the Authors:
Chris Davis, CISA, CISSP, shares his experience from architecting, hardening, and auditing systems.  He has trained auditors and forensic analysts.  Davis is the coauthor of the bestselling Hacking Exposed: Computer Forensics.
Mike Schiller, CISA, has 14 years of experience in the IT audit field, most recently as the worldwide IT Audit Manager at Texas Instruments.
Kevin Wheeler, CISA, CISSP, NSA IAM/IEM, is the founder and CEO of InfoDefense and has more than ten years of IT security experience.