Financial reporting and SOX compliance teams are always looking for ways to reduce the risk of erroneous financial reporting, and one cutting-edge strategy to achieve that is through continuous controls monitoring.
The idea certainly sounds appealing. With clever use of technologies such as artificial intelligence, accounting and SOX compliance teams will be able to monitor all your organization’s transactions as those transactions happen, and then immediately intercept any exceptions that somehow evade your internal controls.
More efficiency, faster remediation, fewer surprises at audit time — what’s not to love?
The reality of “CCM” is more complicated. Let’s take a look at the issues internal control teams will need to anticipate before you can reap all those benefits that CCM promises.
What Continuous Controls Monitoring Is Really About
For starters, the phrase “continuous controls monitoring” isn’t quite accurate. You aren’t just monitoring controls to observe how they perform; you’re monitoring controls to identify instances of something unusual happening: an invoice received before purchase order issued, a payment made to a vendor not in the master vendor file, an accounts receivable estimate changed despite incomplete documentation, and so forth.
We should also be more precise with “something unusual happening.” What that phrase really means is an action taken without proper authority. The specific unauthorized action could be anything, but fundamentally — somebody somewhere in your organization is executing a transaction without the proper authority to do so.
That’s what continuous controls monitoring really is: monitoring the transactions happening within your enterprise so that you can log every instance of someone doing something that’s beyond the authority for someone in his or her role.
Why dwell on the deeper meaning of CCM so much? Because only then can financial reporting and SOX compliance teams move on to the next, more important question.
How do we make sure CCM doesn’t go haywire?
Rushing Into CCM Can Cause Confusion
As elegant as CCM might sound in theory, it clashes with the reality that people in corporate organizations execute transactions beyond the scope of their normally defined roles all the time. For example:
- The corporate controller goes on vacation to Mongolia, and tells the CFO that the deputy controller will pinch-hit on processing payments for three weeks.
- The company does a round of layoffs, and plant managers suddenly have contracting authority previously handled by regional managers.
- A promising financial analyst is granted the title “senior analyst” so she won’t quit; and since the ERP system doesn’t have a defined senior analyst role, she’s given the permissions of a financial manager.
All of the above are reasonable deviations from standard roles defined in most ERP systems, but they’re still deviations. Continuous controls monitoring isn’t built for deviations. CCM is built to identify transactions that don’t adhere to an organization’s set of predefined authorities and permissions — when, as a practical matter, the people within that organization side-step those rules all the time.
Yes, sometimes employees side-step those rules to commit fraud or some other adverse act, and you do want to catch those exceptions. Many times, however, employees engage in unusual transactions for legitimate reasons.
That’s the quagmire of continuous controls monitoring that you want to avoid.
Plan Now for Better CCM Adoption
None of this is to say that finance and SOX teams should abandon continuous controls monitoring before the idea even starts. CCM is still far better than the traditional approach of an audit that looks backward at a sample of transactions and then making judgments about your overall control effectiveness.
SOX compliance teams just need to design and implement CCM with a clear-eyed understanding of how a technology like this will perform once it encounters the actual humans at your organization.
For example, a pilot program (say, one department) can let you see how many exception alerts CCM might generate, and why. That helps you to understand whether the artificial intelligence behind your CCM system has been sufficiently trained and has “learned” which exceptions truly do need immediate attention, versus those that have valid explanations (see our controller on vacation in Mongolia, above) and can be ignored.
Consider the experience of our friends in the IT security world. Corporate security teams started continuous security monitoring in the 2010s — and have been deluged with security alerts ever since. Partly that’s because cybersecurity attacks have soared, a phenomenon that isn’t likely to strike finance teams. Still, security personnel are overwhelmed with sorting out truly severe threats from immaterial ones. That’s what SOX compliance teams want to avoid.
The good news is that SOX compliance teams adopting continuous controls monitoring today will be able to rely on artificial intelligence to a greater extent than cybersecurity teams could in, say, 2015. You might be able to sidestep the “alert exhaustion” and other growing pains we’ve seen in the past.
But fundamentally, you’ll need to proceed with caution so that continuous controls monitoring works for you, rather than you working for the AI as you rush around responding to every alert it raises.
The latter would crush any efficiency gains. Worse, it would create a terrible culture with good employees grumbling, “Why do we even bother with this?”
SOX compliance teams already encounter the “Why do we even bother?” question enough as it is. We don’t need reckless adoption of continuous controls monitoring to make matters worse.
About Matt Kelly
|
|
Matt Kelly is an independent compliance consultant specializing in corporate compliance, governance, and risk management. He shares insights on business issues on his blog, Radical Compliance, and is a frequent speaker on compliance, governance, and risk topics.
Kelly was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and named to Ethisphere's "Most Influential in Business Ethics" list in 2011 and 2013. He served as editor of Compliance Week from 2006 to 2015.
Based in Boston, Mass., Kelly can be contacted at mkelly@RadicalCompliance.com.
|
#SECPro
#SOXPro
#Audit
#ProcessImprovement
#ControlsManagement